cisco ACE- http tp https redirection of URL

Unanswered Question
Aug 19th, 2008

Hi all,

My customer got a strange requirement

when ever he access website on port http:// it should redirect to https:// automatically with out the end user getting intimated . He dont want this to happen in the application level coding , rather he want ACE and FW to handle this

I tried to redirect the port from 80 to 443 on FWSM firewall and send the traffic to the VIP of the ACE on 443 port , ACE is not issuing certificate in this case. But when i directly accessed the site with https:// then ACE is issuing certificate.

I know if i am doing port redirection still it is a http session only, but i heard that we can do some sort of URL redirection at ACE level . How can i achieve this .. Appreciate all your ideas

with regards

Parvees

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Frederick Reimer Tue, 08/19/2008 - 05:31

You need to setup a redirect rserver and redirect serverfarm, to redirect traffic going to port 80 on an IP address to another URL which is HTTPS (port443). See here for an example:

http://www.cisco.com/en/US/partner/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/slb/guide/rsfarms.html#wp1046009

rserver redirect SERVER1

webhost-redirection https://192.168.120.132/redirect-100k.html 301

inservice

serverfarm redirect SFARM1

rserver SERVER1

inservice

You would setup another VIP and serverfarm for 192.168.120.132 tcp eq 443...

David Niemann Sun, 03/15/2009 - 14:01

I had this configured the same, but ran into users getting IE errors switching between secure and non-secure. I found a doc that recommended using the URL rewrite method instead to avoid the IE error, but can't come up with a wild card that works for rewriting any URL received as http to https.

Gilles Dufour Tue, 03/17/2009 - 05:29

If your server has hardcoded some links, you will again switch to http and see the message secure/unsecure.

Same if the server has configured a redirect.

The redirect will again send the user to http.

The ssl header rewrite can only be done for the 2nd case where the server sends a redirect.

We can modify the redirect to point to https instead of http.

But for the first case, hardcoded links, there is nothing we can do.

Gilles.

David Niemann Tue, 03/17/2009 - 05:32

Does that mean there may be some hardcoded links on the servers that use http instead of https?

Gilles Dufour Tue, 03/17/2009 - 05:58

you should sniff the traffic and decode it using the server private key with wireshark to see what the server is doing.

If this is a redirect, we should be able to rewrite it.

Gilles.

David Niemann Tue, 03/17/2009 - 06:02

Thanks for the advice. I will do that and let you know the outcome. If it will require a rewrite is there a way to use a wildcard to rewrite any http urls to https?

Gilles Dufour Tue, 03/17/2009 - 06:35

yes, you can use a wildcard.

switch/Admin(config)# action-list type modify http SSL-Rewrite

switch/Admin(config-actlist-modify)# ssl url rewrite location .*

Gilles.

Actions

This Discussion