URL redirection on https with CSS

Answered Question
Jan 17th, 2008
User Badges:

Hi,


We want to acheive the url redirection in such a way that, when user type https://192.168.10.171 it should get redirected to full url as https://192.168.10.171/uat/servlet/BrowserServlet


I tried searching the web, I could find some configurations for http to https redirection but that could not help me..


Below is the existing configuration of the CSS

=========================================


*********************** SSL PROXY LIST ***********************

ssl-proxy-list UAT

ssl-server 1

ssl-server 1 rsakey BMKEYFILE

ssl-server 1 vip address 192.168.10.171

ssl-server 1 cipher rsa-export1024-with-rc4-56-sha 192.168.10.171 80 weight 10

ssl-server 1 cipher rsa-with-3des-ede-cbc-sha 192.168.10.171 80 weight 9

ssl-server 1 cipher rsa-with-rc4-128-sha 192.168.10.171 80 weight 8

ssl-server 1 cipher rsa-with-rc4-128-md5 192.168.10.171 80 weight 7

ssl-server 1 rsacert BMORIGCERTFILE

active


!************************** SERVICE **************************

service SSLMOD

type ssl-accel

slot 4

keepalive type none

add ssl-proxy-list UAT

active


service UAT-1

ip address 192.168.10.6

port 80

protocol tcp

redundant-index 1

keepalive type tcp

keepalive port 9080

active


service UAT-2

port 80

protocol tcp

redundant-index 2

ip address 192.168.10.86

keepalive type tcp

keepalive port 9080

active


service UAT-3

ip address 192.168.10.8

port 80

protocol tcp

redundant-index 3

keepalive port 9080

keepalive type tcp

active


!*************************** OWNER ***************************

owner BMAPP-CBS


content CBS-UAT

vip address 192.168.10.171

add service UAT-1

add service UAT-2

add service UAT-3

protocol tcp

port 80

url "/*"

redundant-index 101

advanced-balance sticky-srcip

active


content SSL-CBS-UAT

application ssl

protocol tcp

port 443

vip address 192.168.10.171

add service SSLMOD

active


!*************************** GROUP ***************************

group SourceNAT

vip address 192.168.10.171

add destination service UAT-1

add destination service UAT-2

add destination service UAT-3

redundant-index 201

active


=========================================


Can someone give some inputs to acheive this...


Regards

Correct Answer by Diego Vargas about 9 years 6 months ago

Hi,


You are already doing SSL termination for VIP 192.168.10.171.


There is no way to redirect https traffic since it is encrypted but you can can configure the redirect for a clear text rule that is going to be matched once the traffic is decrypted.


For instance, you can configure the content rule with url "/*" to send a redirect to

https://192.168.10.171/uat/servlet/BrowserServlet

and remove the services from there


Then you create another rule more specific with the services added matching traffic going to URL /uat/servlet/BrowserServlet



Something like this:


content CBS-UAT

vip address 192.168.10.171

add service UAT-1

add service UAT-2

add service UAT-3

protocol tcp

port 80

url "/uat/servlet/BrowserServlet"

redundant-index 102

advanced-balance sticky-srcip

active


content CBS-UAT-redirect

vip address 192.168.10.171

protocol tcp

port 80

url "/*"

redundant-index 101

redirect "https://192.168.10.171/uat/servlet/BrowserServlet"

active


The traffic going to https://192.168.10.171 will be decrypted, then redirected to https://192.168.10.171/uat/servlet/BrowserServlet, decrypted again and finally balanced.


Hope it helps!!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Correct Answer
Diego Vargas Thu, 01/17/2008 - 07:31
User Badges:
  • Cisco Employee,

Hi,


You are already doing SSL termination for VIP 192.168.10.171.


There is no way to redirect https traffic since it is encrypted but you can can configure the redirect for a clear text rule that is going to be matched once the traffic is decrypted.


For instance, you can configure the content rule with url "/*" to send a redirect to

https://192.168.10.171/uat/servlet/BrowserServlet

and remove the services from there


Then you create another rule more specific with the services added matching traffic going to URL /uat/servlet/BrowserServlet



Something like this:


content CBS-UAT

vip address 192.168.10.171

add service UAT-1

add service UAT-2

add service UAT-3

protocol tcp

port 80

url "/uat/servlet/BrowserServlet"

redundant-index 102

advanced-balance sticky-srcip

active


content CBS-UAT-redirect

vip address 192.168.10.171

protocol tcp

port 80

url "/*"

redundant-index 101

redirect "https://192.168.10.171/uat/servlet/BrowserServlet"

active


The traffic going to https://192.168.10.171 will be decrypted, then redirected to https://192.168.10.171/uat/servlet/BrowserServlet, decrypted again and finally balanced.


Hope it helps!!

rv_viji Fri, 01/18/2008 - 05:56
User Badges:

Hi,


Excellent, thanks a lot.


It worked.


Regards

Actions

This Discussion