Solved: Ace appending HTTP Link

james_46 · ‎09-15-2008

Hi guys,

Have an issue with a new ACE install. In the process of logging a TAC but will try here first.

It would seem like the ACE is prepending a http link with more information than required.

This is a log from a connection going straight to backend server:

128.27.6.84 - - [12/Sep/2008:17:12:33 +0100] "GET /gw/webacc?Provider.name=GWXMLV&GWXMLV.Action=Logout&User.context=ir4uu5Phdtt8fn6Mu1&merge=webacc HTTP/1.1" 302 -

This is the log going through the ACE, same at the start then adds additional info:

128.27.6.84 - - [12/Sep/2008:17:10:51 +0100] "GET /gw/webacc?Provider.name=GWXMLV&GWXMLV.Action=Logout&User.context=cweqz5Phcri4gg6Oqb&merge=webacc HTTP/1.1" 302 - "https://x.x.x.x/gw/webacc?Provider.name=GWXMLV&User.context=cweqz5Phcri4gg6Oqb&merge=GWXMLV/caption_mail" "Mozilla/5.0 (X11; U; Linux i686

(x86_64); en-GB; rv:1.8.1.16) Gecko/20080716 SUSE/2.0.0.16-0.4 Firefox/2.0.0.16

Anyone see this before? And how do i resolve it

Regards

James

Gilles Dufour · ‎09-16-2008

James,

I realised I don't have your config, so I'm not sure you terminate SSL on your ACE module.

Is this SSL frontend and HTTP backend ?

In this case, you should try the url rewrite config as mentioned before.

Try :

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/ssl/guide/terminat.html#wp1129314

If you are doing something different, we'll need more details and a sniffer trace.

Gilles.

View solution in original post

Gilles Dufour · ‎09-15-2008

James,

The log says in both case you receive a 302 response from the server.

This is a redirect.

A redirect always include a location.

Your log simply shows the location when going through ACE.

This information is not added by ACE.

It comes directly from the server.

Not sure why it is not showing in first case.

If there is a concern, you need to capture a frontend and backend sniffer trace.

Use the private key to decode the frontend.

Gilles.

james_46 · ‎09-15-2008

Gilles,

Strange why it only shows when we go through the VIP then.

The Server we are testing from is in the DMZ on the client side of the ACE but in the same Subnet. ACE is in bridged mode, i wonder if this is maybe causing an issue? I would like to see it removed from there and a true test completed from outside the DMZ.

James

Gilles Dufour · ‎09-15-2008

Actually, I have to correct what I said.

What you see is the Apache log which has the format :

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined

CustomLog log/acces_log combined

So the link that you see is the Referer.

This is still set by the server.

I believe it is set because the server name does not match the hostname in the url.

Not exactly sure, but this is not done by ACE.

If you just don't want to see it in your log, modify the log format inside your Apache config file.

Gilles.

james_46 · ‎09-15-2008

Gilles,

Thanks again for taking the time to reply.

The reason we were checking the log is because the link does not work when going via the ACE and works when you go straight to the Server. This what we seen in the log and thought it was the issue. This is the only link that fails but can't find the reason why

James

james_46 · ‎09-16-2008

Gilles,

Do you suggest upgrading the software on the ACE, i am currently running Version A1(8.0a) [build 3.0(0)A1(8.0a)

James

Gilles Dufour · ‎09-16-2008

The response is apparently a redirect from the log.

So, do you have the urlrewrite command to change the location field from http to https ?

You will need a sniffer trace to see what is going on.

Gilles.

james_46 · ‎09-16-2008

Gilles,

I don't have a urlrewrite command, i wasn't aware it was required for the return traffic.

Any notes for setting this up?

James

Gilles Dufour · ‎09-16-2008

James,

I realised I don't have your config, so I'm not sure you terminate SSL on your ACE module.

Is this SSL frontend and HTTP backend ?

In this case, you should try the url rewrite config as mentioned before.

Try :

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/ssl/guide/terminat.html#wp1129314

If you are doing something different, we'll need more details and a sniffer trace.

Gilles.

james_46 · ‎09-16-2008

Gilles,

Yes it is SSL frontend and HTTP backend.

I discovered that link and in the process of trying it.

Thanks again for pointing me in the right direction, i'll let you know how it goes.

James

james_46 · ‎09-19-2008

Gilles,

I now have this issue resolved, i applied a url re-write at the backend to handle the url redirect

Thanks for your help

James