08-19-2008 03:40 AM
Hi all,
My customer got a strange requirement
when ever he access website on port http:// it should redirect to https:// automatically with out the end user getting intimated . He dont want this to happen in the application level coding , rather he want ACE and FW to handle this
I tried to redirect the port from 80 to 443 on FWSM firewall and send the traffic to the VIP of the ACE on 443 port , ACE is not issuing certificate in this case. But when i directly accessed the site with https:// then ACE is issuing certificate.
I know if i am doing port redirection still it is a http session only, but i heard that we can do some sort of URL redirection at ACE level . How can i achieve this .. Appreciate all your ideas
with regards
Parvees
08-19-2008 05:31 AM
You need to setup a redirect rserver and redirect serverfarm, to redirect traffic going to port 80 on an IP address to another URL which is HTTPS (port443). See here for an example:
rserver redirect SERVER1
webhost-redirection https://192.168.120.132/redirect-100k.html 301
inservice
serverfarm redirect SFARM1
rserver SERVER1
inservice
You would setup another VIP and serverfarm for 192.168.120.132 tcp eq 443...
03-15-2009 02:01 PM
I had this configured the same, but ran into users getting IE errors switching between secure and non-secure. I found a doc that recommended using the URL rewrite method instead to avoid the IE error, but can't come up with a wild card that works for rewriting any URL received as http to https.
03-17-2009 05:29 AM
If your server has hardcoded some links, you will again switch to http and see the message secure/unsecure.
Same if the server has configured a redirect.
The redirect will again send the user to http.
The ssl header rewrite can only be done for the 2nd case where the server sends a redirect.
We can modify the redirect to point to https instead of http.
But for the first case, hardcoded links, there is nothing we can do.
Gilles.
03-17-2009 05:32 AM
Does that mean there may be some hardcoded links on the servers that use http instead of https?
03-17-2009 05:58 AM
you should sniff the traffic and decode it using the server private key with wireshark to see what the server is doing.
If this is a redirect, we should be able to rewrite it.
Gilles.
03-17-2009 06:02 AM
Thanks for the advice. I will do that and let you know the outcome. If it will require a rewrite is there a way to use a wildcard to rewrite any http urls to https?
03-17-2009 06:35 AM
yes, you can use a wildcard.
switch/Admin(config)# action-list type modify http SSL-Rewrite
switch/Admin(config-actlist-modify)# ssl url rewrite location .*
Gilles.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: