Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1039
Views
0
Helpful
3
Replies

Http URL/path rewrite

Go to solution
mferrando
Level 1
Level 1

‎04-08-2009 09:23 AM

I have the need to use the URL rewrite feature (convert from a http to https).

Our goal is to convert a specific http response that include a path to the same but using https protocol.

server response is : http://portal.pippo.com/guest/login

I want that ACE send the following:

https://portal.pippo.com/guest/login.

(ACE is doing SSL offload)

.

Only this page or all the /guest path need to be secured with SSL, all the other pages under portal.pippo.com must remain http.

.

I konw tha manual says that URL rewrite is applicable only to pure URL (without path).

Do you have any suggestion to implement this ?

Many thanks in advance.

Maurizio

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
sachinga.hcl
Level 4
Level 4

‎04-08-2009 03:11 PM

Hi MAURIZIO,

You have to create A Layer 7 HTTP server load-balancing class map contains match criteria that classifies specific Layer 7 network traffic. You create a Layer 7 server load-balancing class map based on HTTP cookies, HTTP headers, HTTP URLs, protocol header fields, or source IP addresses.

he Layer 7 HTTP server load balancing has Regular expression matching against the received packet data from a particular connection based on the HTTP URL string.

Before doing this you have to create a classmap of layer3/4 in which you can nest layer 7 classmap.

Layer 7 Load-Balancing Example

•Load balances traffic to the SPORTS-SERVER and NEWS-SERVER server farms based on the following criteria:

-HTTP header and header value expression

-URL expression

•Classifies the 3-tuple flow of the VIP address, protocol, and port as matching criteria for server load balancing

•Utilizes an HTTP parameter map to enable HTTP persistence

Perform the following steps:

Step 1 Create a Layer 7 class map that defines an HTTP header and header value expression string and URL expression for load balancing to the SPORTS-SERVER server farm.

host1/Admin(config)# class-map type http loadbalance match-all

SPORTS-MAP_CLASS

host1/Admin(config-cmap-http-lb)# match http header host header-value

.*test.com

host1/Admin(config-cmap-http-lb)# match http url /sports/

host1/Admin(config-cmap-http-lb)# exit

Step 2 Create a Layer 7 class map that defines a URL expression for load balancing to the NEWS-SERVER serverfarm.

host1/Admin(config)# class-map type http loadbalance NEWS-MAP_CLASS

host1/Admin(config-cmap-http-lb)# match http url /news/

host1/Admin(config-cmap-http-lb)# exit

Step 3 Create a Layer 7 server load-balancing policy by entering the following commands:

host1/Admin(config)# policy-map type loadbalance first-match

L7_SLB_POLICY

host1/Admin(config-pmap-lb)# class SPORTS-MAP_CLASS

host1/Admin(config-pmap-lb-c)# serverfarm SPORTS-SERVER

host1/Admin(config-pmap-lb-c)# exit

host1/Admin(config-pmap-lb)# class NEWS-MAP_CLASS

host1/Admin(config-pmap-lb-c)# serverfarm NEWS-SERVER

host1/Admin(config-pmap-lb-c)# exit

host1/Admin(config-pmap-lb)# class class-default

host1/Admin(config-pmap-lb-c)# serverfarm SERVER-HANDLE-ALL

host1/Admin(config-pmap-lb-c)# exit

host1/Admin(config-pmap-lb)# exit

host1/Admin(config)#

Step 4 Create a Layer 3 and Layer 4 class map that classifies the 3-tuple flow of the VIP address, protocol, and port as matching criteria for server load balancing by entering the following commands:

host1/Admin(config)# class-map L4_SLBVIP_CLASS

host1/Admin(config-cmap)# match virtual-address 192.168.5.10 tcp port

eq 80

host1/Admin(config-cmap)# exit

host1/Admin(config)#

Step 5 Create an HTTP parameter map to enable HTTP persistence by entering the following commands:

host1/Admin(config)# parameter-map type http HTTP_PARAMETER_MAP

host1/Admin(config-parammap-http)# persistent-rebalance

host1/Admin(config-parammap-http)# exit

host1/Admin(config)#

Step 6 Create a Layer 3 and Layer 4 policy map to activate the traffic classifications outlined in the previous steps by entering the following commands:

host1/Admin(config)# policy-map multi-match L4_SLB_POLICY

host1/Admin(config-pmap)# class L4_SLBVIP_CLASS

host1/Admin(config-pmap-c)# loadbalance policy L7_SLB_POLICY

host1/Admin(config-pmap-c)# loadbalance vip inservice

host1/Admin(config-pmap-c)# appl-parameter http advanced-options

HTTP_PARAMETER_MAP

host1/Admin(config-pmap-c)# exit

host1/Admin(config-pmap)# exit

host1/Admin(config)#

Step 7 Apply the completed policies to interface VLAN 10 by entering the following commands:

host1/Admin(config)# interface VLAN 10

host1/Admin(config-if)# service-policy input L4_SLB_POLICY

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/administration/guide/mapolcy.html#wp1256712

View solution in original post

0 Helpful

Go to solution
sachinga.hcl
Level 4
Level 4
In response to sachinga.hcl

‎04-08-2009 03:13 PM

Use the ssl url rewrite location command. SSL URL rewrite changes the redirect URL from http:// to https:// in the Location response header from the server before sending the response to the client. By doing so, it allows you to avoid nonsecure HTTP redirects because all client connections to the web server will be SSL, thus ensuring the secure delivery of HTTPS content back to the client. Use the no form of this command to remove the SSL rewrite specification from the configuration.

ssl url rewrite location expression [sslport number1] [clearport number2]

no ssl url rewrite location expression [sslport number1] [clearport number2]

Usage Guidelines

After you create an action list and configure an HTTP redirect URL for SSL, you must associate the action list with a Layer 3 and Layer 4 policy map. For details, see the Cisco Application Control Engine Module Server Load-Balancing Configuration Guide.

Examples

To specify SSL URL rewrite using the default SSL port of 443 and clear port of 80, enter:

host1/Admin(config)# action-list type modify http HTTP_MODIFY_ACTLIST

host1/Admin(config-actlist-modify)# ssl url rewrite location www.website.com

In this case, the ACE rewrites all HTTP redirects to http://www.website.com/ as https://www.website.com/ and forwards them to the client.

Use the following URL :

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/command/reference/actnlist.html#wpxref82197

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/command/reference/actnlist.html#wp1041777

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c3045.shtml

Regards

sachin

View solution in original post

0 Helpful
3 Replies 3

Go to solution
sachinga.hcl
Level 4
Level 4

‎04-08-2009 03:11 PM

Hi MAURIZIO,

You have to create A Layer 7 HTTP server load-balancing class map contains match criteria that classifies specific Layer 7 network traffic. You create a Layer 7 server load-balancing class map based on HTTP cookies, HTTP headers, HTTP URLs, protocol header fields, or source IP addresses.

he Layer 7 HTTP server load balancing has Regular expression matching against the received packet data from a particular connection based on the HTTP URL string.

Before doing this you have to create a classmap of layer3/4 in which you can nest layer 7 classmap.

Layer 7 Load-Balancing Example

•Load balances traffic to the SPORTS-SERVER and NEWS-SERVER server farms based on the following criteria:

-HTTP header and header value expression

-URL expression

•Classifies the 3-tuple flow of the VIP address, protocol, and port as matching criteria for server load balancing

•Utilizes an HTTP parameter map to enable HTTP persistence

Perform the following steps:

Step 1 Create a Layer 7 class map that defines an HTTP header and header value expression string and URL expression for load balancing to the SPORTS-SERVER server farm.

host1/Admin(config)# class-map type http loadbalance match-all

SPORTS-MAP_CLASS

host1/Admin(config-cmap-http-lb)# match http header host header-value

.*test.com

host1/Admin(config-cmap-http-lb)# match http url /sports/

host1/Admin(config-cmap-http-lb)# exit

Step 2 Create a Layer 7 class map that defines a URL expression for load balancing to the NEWS-SERVER serverfarm.

host1/Admin(config)# class-map type http loadbalance NEWS-MAP_CLASS

host1/Admin(config-cmap-http-lb)# match http url /news/

host1/Admin(config-cmap-http-lb)# exit

Step 3 Create a Layer 7 server load-balancing policy by entering the following commands:

host1/Admin(config)# policy-map type loadbalance first-match

L7_SLB_POLICY

host1/Admin(config-pmap-lb)# class SPORTS-MAP_CLASS

host1/Admin(config-pmap-lb-c)# serverfarm SPORTS-SERVER

host1/Admin(config-pmap-lb-c)# exit

host1/Admin(config-pmap-lb)# class NEWS-MAP_CLASS

host1/Admin(config-pmap-lb-c)# serverfarm NEWS-SERVER

host1/Admin(config-pmap-lb-c)# exit

host1/Admin(config-pmap-lb)# class class-default

host1/Admin(config-pmap-lb-c)# serverfarm SERVER-HANDLE-ALL

host1/Admin(config-pmap-lb-c)# exit

host1/Admin(config-pmap-lb)# exit

host1/Admin(config)#

Step 4 Create a Layer 3 and Layer 4 class map that classifies the 3-tuple flow of the VIP address, protocol, and port as matching criteria for server load balancing by entering the following commands:

host1/Admin(config)# class-map L4_SLBVIP_CLASS

host1/Admin(config-cmap)# match virtual-address 192.168.5.10 tcp port

eq 80

host1/Admin(config-cmap)# exit

host1/Admin(config)#

Step 5 Create an HTTP parameter map to enable HTTP persistence by entering the following commands:

host1/Admin(config)# parameter-map type http HTTP_PARAMETER_MAP

host1/Admin(config-parammap-http)# persistent-rebalance

host1/Admin(config-parammap-http)# exit

host1/Admin(config)#

Step 6 Create a Layer 3 and Layer 4 policy map to activate the traffic classifications outlined in the previous steps by entering the following commands:

host1/Admin(config)# policy-map multi-match L4_SLB_POLICY

host1/Admin(config-pmap)# class L4_SLBVIP_CLASS

host1/Admin(config-pmap-c)# loadbalance policy L7_SLB_POLICY

host1/Admin(config-pmap-c)# loadbalance vip inservice

host1/Admin(config-pmap-c)# appl-parameter http advanced-options

HTTP_PARAMETER_MAP

host1/Admin(config-pmap-c)# exit

host1/Admin(config-pmap)# exit

host1/Admin(config)#

Step 7 Apply the completed policies to interface VLAN 10 by entering the following commands:

host1/Admin(config)# interface VLAN 10

host1/Admin(config-if)# service-policy input L4_SLB_POLICY

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/administration/guide/mapolcy.html#wp1256712

0 Helpful

Go to solution
sachinga.hcl
Level 4
Level 4
In response to sachinga.hcl

‎04-08-2009 03:13 PM

Use the ssl url rewrite location command. SSL URL rewrite changes the redirect URL from http:// to https:// in the Location response header from the server before sending the response to the client. By doing so, it allows you to avoid nonsecure HTTP redirects because all client connections to the web server will be SSL, thus ensuring the secure delivery of HTTPS content back to the client. Use the no form of this command to remove the SSL rewrite specification from the configuration.

ssl url rewrite location expression [sslport number1] [clearport number2]

no ssl url rewrite location expression [sslport number1] [clearport number2]

Usage Guidelines

After you create an action list and configure an HTTP redirect URL for SSL, you must associate the action list with a Layer 3 and Layer 4 policy map. For details, see the Cisco Application Control Engine Module Server Load-Balancing Configuration Guide.

Examples

To specify SSL URL rewrite using the default SSL port of 443 and clear port of 80, enter:

host1/Admin(config)# action-list type modify http HTTP_MODIFY_ACTLIST

host1/Admin(config-actlist-modify)# ssl url rewrite location www.website.com

In this case, the ACE rewrites all HTTP redirects to http://www.website.com/ as https://www.website.com/ and forwards them to the client.

Use the following URL :

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/command/reference/actnlist.html#wpxref82197

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/command/reference/actnlist.html#wp1041777

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c3045.shtml

Regards

sachin

0 Helpful

Go to solution
mferrando
Level 1
Level 1
In response to sachinga.hcl

‎04-16-2009 06:43 AM

Sachim, I implemented the solution:

I configured a L7 class map to intercept the specific page and used a serverfarm redirect to get the client to use the https instead the http.

The ssl url rewrite is used only during http redirect message coming from the server for SSL session terminated on ACE.

For requests coming as normal http, it does not work (no action takes place).

Thanks for your help.

Regards, Maurizio

0 Helpful
Customers Also Viewed These Support Documents