url rewrite question on CSS

kirit_patel · ‎07-29-2008

Folks

I have a customer who logs in to http://www.example.com . On this page they have login icon and when they click that the page is supposed to go to https://www.example.com . The redirect is

done by the web server. The SSl termination is happening at CSS. When they do that the session hangs.

Is my config below ok and is not working because I don't have rewrite rule ?

content 204.62.45.33-443

port 443

protocol tcp

application ssl

add service ssl_module1

vip address 204.62.45.33

active

content 204.62.45.33-80

vip address 204.62.45.33

add service spdoteqweb1-21220

advanced-balance sticky-srcip

port 80

protocol tcp

add service spdoteqweb2-21220

active

ssl-server 4 vip address 204.62.45.33

ssl-server 4 rsakey standardkey

ssl-server 4 rsacert standpoorcert

Don't I need a rewrite rule like the following to make it work :

ssl-server 4 urlrewrite 24 www.example.com

sachinga.hcl · ‎07-29-2008

When a HTTP from client arrivals, CSS receives a HTTP request from

client, it will send a redirect director that let client using HTTPS.

1.

Client -- HTTP --> CSS

2.

CSS-- redirect director -- > Client

3.

Client -- HTTPS --> CSS

when a client connects to a Virtual IP (VIP) and the switch is configured to send a redirect back to the client. There are two different types of redirects on the Content Services Switch (CSS), a content rule redirect and a service redirect. These two types of redirects are different in the way that they append information to the domain name, as well as when they are applied to the traffic that hits the associated VIP.

Use a redirect in the content rule as the default action

!*************************** OWNER ***************************

owner XYZ-Sachin

content 204.62.45.33-443

port 80

protocol tcp

vip address 204.62.45.33

url "/*"

redirect "//www.example.com/"

active

The client goes to www.example.com because any request to this VIP is redirected to the redirect string that is configured in the content rule. Notice that the /default.htm from the original request is not appended to the redirect string.

Use a service in the content rule as the default action

!************************** SERVICE **************************

service abcd

ip address w.x.y.z

keepalive type none

type redirect

redirect-string "www.example.com/"

active

service regular-server1

ip address 10.2.3.4

active

service regular-server2

ip address 10.2.3.5

active

!*************************** OWNER ***************************

owner XYZ-Sachin

content default-redirect

vip address 204.62.45.33

protocol tcp

port 80

url "/*"

add service regular-server1

add service regular-server2

add service abcd

active

In this example, there are three services in the content rule. Two of the services (regular-server1 and regular-server2) are the default type of local. The third service (abcd) is type redirect. The CSS behavior is to send all connections to local services if possible. This means that while any local service in a content rule is functional, the CSS does not send any traffic to the redirect service. Only in the event of all local services going down does the CSS ever use the redirect service.

******************

This configuration has the same result as using a redirect in the content rule as the default action. The client goes to www.example.com because any request to this VIP is redirected to the redirect string that is configured in the service.

Continue---to--Page2--> next teply

sachinga.hcl · ‎07-29-2008

----page 2----->

So you need an additional configuration technique for that case as follows:

Use a service in the content rule as the default action

!************************** SERVICE **************************

service abcd

ip address w.x.y.z

keepalive type none

type redirect

no prepend-http

domain https://www.example.com

active

service regular-server1

ip address e.f.g.h

active

service regular-server2

ip address i.j.k.l

active

!*************************** OWNER ***************************

owner XYZ-Sachin

content default-redirect

vip address 204.62.45.33

protocol tcp

port 80

url "/*"

add service regular-server1

add service regular-server2

active

content ssl-rule

vip address 204.62.45.33

protocol tcp

port 80

url "/*"

add service abcd

active

This example demonstrates a site that is required to operate over HTTPS exclusively. If a user comes into the site using HTTP, the CSS sends the user an HTTP redirect to come back in via HTTPS.

This example makes use of the domain and no prepend-http commands in the service.

The domain command replaces the domain portion of the original request with the domain specified in the service. It retains any URL (path and filename) information. This is useful when you need to redirect any request to a specific site, and need to preserve the requested filename.

By default, the CSS prepends http:// before any redirect it sends from a service. If you need to have the CSS prepend HTTPS://, then it needs to be entered on the domain line. When this is done, it is also necessary to turn on the default prepending string by issuing the no prepend-http command.

Hope this will bring some useful information to you regarding your case.

Still if you want to discuss any thing in this regard kindly revert back me.

I will be very happy if I can be part of any further assistance.

Please do not hesitate to revert back any time.

Till then ,

Kind Regards,

sachinga@hcl.in

sachinga.hcl · ‎07-29-2008

Page 3 --->

The Secure URL Rewrite feature prevents URL redirects and references from breaking or circumventing SSL sessions. This example uses the CLI. The same options are available in the GUI.

1. Open a management session with the device.

2. Enter Privileged, Configuration, and SSL Configuration modes:

SCA> enable

SCA# configure

(config[SCA])# ssl

(config-ssl[SCA])#

3. Enter Server Configuration mode for the server you wish to configure URL rewrites.

(config-ssl[SCA])# server myServer

(config-ssl-server[myServer])#

4. The urlrewrite command uses the following syntax:

urlrewrite [sslport ] [clearport ]

domainName The domain or file identifier as a domain name, IP address, or path and file name. An * (asterisk) wild card character can be used to specify more than one server in a single domain, e.g., "*.company.com".

sslport Keyword identifying the specified port to be used for SSL traffic.

portid A port identification for SSL traffic.

clearport Keyword identifying the specific port to be used for clear text traffic.

portid A port identification for clear text traffic.

redirectonly A keyword is used to indicate that only the "Location:" field in the HTTP 30x redirect header should be rewritten. This solves a common problem with Web servers using insecure HTTP 30x redirects.

Enter a URL rewrite rule for the http://www.example.com

(config-ssl-server[myServer])# urlrewrite www.example.com sslport 443

All references that pass through the device to http://www.example.com are rewritten to https://www.example.com.

To securely rewrite only 30x-series redirects (i.e., 302 or 304) referencing http:// rather than all instances of http:// (such as those that appear intentionally in the application data), use the redirectonly option. (This command must be entered on a single line.)

(config-ssl-server[myServer])# urlrewrite www.example2.com sslport 443 clearport 81 redirectonly

(for accessing http://www.example2.com:81)

5. A wildcard can be used to specify multiple SSL hosts in the same domain.

(config-ssl-server[myServer])# urlrewrite *.example3.com sslport 443 clearport 81

(for accessing http://www.example3.com:81)

Do not use *.com as a filter. The definition is too broad

Wildcards should be used with care to avoid any unwanted rewriting of references.

6. To see the results of these URL rewrite rules in the server configuration, enter the following command. The results are presented below it.

(config-ssl-server[myServer])# show ssl server myServer

...

URL Rewrite:

Name Clear Port SSL Port Redirect Only