cisco ACE- http tp https redirection of URL

Unanswered Question
Aug 19th, 2008
User Badges:

Hi all,

My customer got a strange requirement

when ever he access website on port http:// it should redirect to https:// automatically with out the end user getting intimated . He dont want this to happen in the application level coding , rather he want ACE and FW to handle this

I tried to redirect the port from 80 to 443 on FWSM firewall and send the traffic to the VIP of the ACE on 443 port , ACE is not issuing certificate in this case. But when i directly accessed the site with https:// then ACE is issuing certificate.

I know if i am doing port redirection still it is a http session only, but i heard that we can do some sort of URL redirection at ACE level . How can i achieve this .. Appreciate all your ideas

with regards


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Frederick Reimer Tue, 08/19/2008 - 05:31
User Badges:

You need to setup a redirect rserver and redirect serverfarm, to redirect traffic going to port 80 on an IP address to another URL which is HTTPS (port443). See here for an example:

rserver redirect SERVER1

webhost-redirection 301


serverfarm redirect SFARM1

rserver SERVER1


You would setup another VIP and serverfarm for tcp eq 443...

David Niemann Sun, 03/15/2009 - 14:01
User Badges:

I had this configured the same, but ran into users getting IE errors switching between secure and non-secure. I found a doc that recommended using the URL rewrite method instead to avoid the IE error, but can't come up with a wild card that works for rewriting any URL received as http to https.

Gilles Dufour Tue, 03/17/2009 - 05:29
User Badges:
  • Cisco Employee,

If your server has hardcoded some links, you will again switch to http and see the message secure/unsecure.

Same if the server has configured a redirect.

The redirect will again send the user to http.

The ssl header rewrite can only be done for the 2nd case where the server sends a redirect.

We can modify the redirect to point to https instead of http.

But for the first case, hardcoded links, there is nothing we can do.


David Niemann Tue, 03/17/2009 - 05:32
User Badges:

Does that mean there may be some hardcoded links on the servers that use http instead of https?

Gilles Dufour Tue, 03/17/2009 - 05:58
User Badges:
  • Cisco Employee,

you should sniff the traffic and decode it using the server private key with wireshark to see what the server is doing.

If this is a redirect, we should be able to rewrite it.


David Niemann Tue, 03/17/2009 - 06:02
User Badges:

Thanks for the advice. I will do that and let you know the outcome. If it will require a rewrite is there a way to use a wildcard to rewrite any http urls to https?

Gilles Dufour Tue, 03/17/2009 - 06:35
User Badges:
  • Cisco Employee,

yes, you can use a wildcard.

switch/Admin(config)# action-list type modify http SSL-Rewrite

switch/Admin(config-actlist-modify)# ssl url rewrite location .*



This Discussion