07-29-2008 02:51 PM
Folks
I have a customer who logs in to http://www.example.com . On this page they have login icon and when they click that the page is supposed to go to https://www.example.com . The redirect is
done by the web server. The SSl termination is happening at CSS. When they do that the session hangs.
Is my config below ok and is not working because I don't have rewrite rule ?
content 204.62.45.33-443
port 443
protocol tcp
application ssl
add service ssl_module1
vip address 204.62.45.33
active
content 204.62.45.33-80
vip address 204.62.45.33
add service spdoteqweb1-21220
advanced-balance sticky-srcip
port 80
protocol tcp
add service spdoteqweb2-21220
active
ssl-server 4 vip address 204.62.45.33
ssl-server 4 rsakey standardkey
ssl-server 4 rsacert standpoorcert
Don't I need a rewrite rule like the following to make it work :
ssl-server 4 urlrewrite 24 www.example.com
07-29-2008 09:58 PM
When a HTTP from client arrivals, CSS receives a HTTP request from
client, it will send a redirect director that let client using HTTPS.
1.
Client -- HTTP --> CSS
2.
CSS-- redirect director -- > Client
3.
Client -- HTTPS --> CSS
when a client connects to a Virtual IP (VIP) and the switch is configured to send a redirect back to the client. There are two different types of redirects on the Content Services Switch (CSS), a content rule redirect and a service redirect. These two types of redirects are different in the way that they append information to the domain name, as well as when they are applied to the traffic that hits the associated VIP.
Use a redirect in the content rule as the default action
!*************************** OWNER ***************************
owner XYZ-Sachin
content 204.62.45.33-443
port 80
protocol tcp
vip address 204.62.45.33
url "/*"
redirect "//www.example.com/"
active
The client goes to www.example.com because any request to this VIP is redirected to the redirect string that is configured in the content rule. Notice that the /default.htm from the original request is not appended to the redirect string.
Use a service in the content rule as the default action
!************************** SERVICE **************************
service abcd
ip address w.x.y.z
keepalive type none
type redirect
redirect-string "www.example.com/"
active
service regular-server1
ip address 10.2.3.4
active
service regular-server2
ip address 10.2.3.5
active
!*************************** OWNER ***************************
owner XYZ-Sachin
content default-redirect
vip address 204.62.45.33
protocol tcp
port 80
url "/*"
add service regular-server1
add service regular-server2
add service abcd
active
In this example, there are three services in the content rule. Two of the services (regular-server1 and regular-server2) are the default type of local. The third service (abcd) is type redirect. The CSS behavior is to send all connections to local services if possible. This means that while any local service in a content rule is functional, the CSS does not send any traffic to the redirect service. Only in the event of all local services going down does the CSS ever use the redirect service.
******************
This configuration has the same result as using a redirect in the content rule as the default action. The client goes to www.example.com because any request to this VIP is redirected to the redirect string that is configured in the service.
Continue---to--Page2--> next teply
07-29-2008 09:59 PM
----page 2----->
So you need an additional configuration technique for that case as follows:
Use a service in the content rule as the default action
!************************** SERVICE **************************
service abcd
ip address w.x.y.z
keepalive type none
type redirect
no prepend-http
domain https://www.example.com
active
service regular-server1
ip address e.f.g.h
active
service regular-server2
ip address i.j.k.l
active
!*************************** OWNER ***************************
owner XYZ-Sachin
content default-redirect
vip address 204.62.45.33
protocol tcp
port 80
url "/*"
add service regular-server1
add service regular-server2
active
content ssl-rule
vip address 204.62.45.33
protocol tcp
port 80
url "/*"
add service abcd
active
This example demonstrates a site that is required to operate over HTTPS exclusively. If a user comes into the site using HTTP, the CSS sends the user an HTTP redirect to come back in via HTTPS.
This example makes use of the domain and no prepend-http commands in the service.
The domain command replaces the domain portion of the original request with the domain specified in the service. It retains any URL (path and filename) information. This is useful when you need to redirect any request to a specific site, and need to preserve the requested filename.
By default, the CSS prepends http:// before any redirect it sends from a service. If you need to have the CSS prepend HTTPS://, then it needs to be entered on the domain line. When this is done, it is also necessary to turn on the default prepending string by issuing the no prepend-http command.
Hope this will bring some useful information to you regarding your case.
Still if you want to discuss any thing in this regard kindly revert back me.
I will be very happy if I can be part of any further assistance.
Please do not hesitate to revert back any time.
Till then ,
Kind Regards,
07-29-2008 10:00 PM
Page 3 --->
The Secure URL Rewrite feature prevents URL redirects and references from breaking or circumventing SSL sessions. This example uses the CLI. The same options are available in the GUI.
1. Open a management session with the device.
2. Enter Privileged, Configuration, and SSL Configuration modes:
SCA> enable
SCA# configure
(config[SCA])# ssl
(config-ssl[SCA])#
3. Enter Server Configuration mode for the server you wish to configure URL rewrites.
(config-ssl[SCA])# server myServer
(config-ssl-server[myServer])#
4. The urlrewrite command uses the following syntax:
urlrewrite
domainName The domain or file identifier as a domain name, IP address, or path and file name. An * (asterisk) wild card character can be used to specify more than one server in a single domain, e.g., "*.company.com".
sslport Keyword identifying the specified port to be used for SSL traffic.
portid A port identification for SSL traffic.
clearport Keyword identifying the specific port to be used for clear text traffic.
portid A port identification for clear text traffic.
redirectonly A keyword is used to indicate that only the "Location:" field in the HTTP 30x redirect header should be rewritten. This solves a common problem with Web servers using insecure HTTP 30x redirects.
Enter a URL rewrite rule for the http://www.example.com
(config-ssl-server[myServer])# urlrewrite www.example.com sslport 443
All references that pass through the device to http://www.example.com are rewritten to https://www.example.com.
To securely rewrite only 30x-series redirects (i.e., 302 or 304) referencing http:// rather than all instances of http:// (such as those that appear intentionally in the application data), use the redirectonly option. (This command must be entered on a single line.)
(config-ssl-server[myServer])# urlrewrite www.example2.com sslport 443 clearport 81 redirectonly
(for accessing http://www.example2.com:81)
5. A wildcard can be used to specify multiple SSL hosts in the same domain.
(config-ssl-server[myServer])# urlrewrite *.example3.com sslport 443 clearport 81
(for accessing http://www.example3.com:81)
Do not use *.com as a filter. The definition is too broad
Wildcards should be used with care to avoid any unwanted rewriting of references.
6. To see the results of these URL rewrite rules in the server configuration, enter the following command. The results are presented below it.
(config-ssl-server[myServer])# show ssl server myServer
...
URL Rewrite:
Name Clear Port SSL Port Redirect Only
__________________________________________________________________
www.example.com 443 81 No
www.example2.com 443 81 Yes
*.example3.com 443 81 No
Hope this will bring some useful information to you regarding your case.
Still if you want to discuss any thing in this regard kindly revert back me.
I will be very happy if I can be part of any further assistance.
Please do not hesitate to revert back any time.
Till then ,
Kind Regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide