ACE - Http to https redirect

Unanswered Question
Apr 10th, 2009

Hello All

Here is the config:

access-list any line 8 extended permit icmp any any

access-list any line 16 extended permit ip any any

probe http web

request method get url /index.html

expect status 200 200

parameter-map type ssl tesstC

cipher RSA_WITH_AES_128_CBC_SHA

rserver redirect REDIRECT-HTTPS

webhost-redirection https://%h%p

inservice

rserver host web1

ip address 192.168.0.2

inservice

ssl-proxy service testC

key ca.key

cert ca.crt

ssl advanced-options tesstC

serverfarm redirect farm-https

rserver REDIRECT-HTTPS

inservice

serverfarm host webfarm

probe web

rserver web1 80

inservice

class-map match-all CLASS-REDIRECT

2 match virtual-address 10.1.1.1 tcp eq www

class-map type http loadbalance match-all L7web

2 match http header Host header-value "dummy-host\.example\.com"

class-map type http loadbalance match-all L7web2

2 match http header Host header-value "dummy-host2\.example\.com"

class-map match-all web

2 match virtual-address 10.1.1.1 tcp eq https

class-map match-all web2

2 match virtual-address 10.1.1.1 tcp eq www

policy-map type loadbalance http first-match POLICY-REDIRECT

match test http url /*

class class-default

serverfarm farm-https

policy-map type loadbalance http first-match webl7policy

class L7web

serverfarm webfarm

policy-map type loadbalance http first-match webl7policy2

class L7web2

serverfarm webfarm

policy-map multi-match VIPs

class web

loadbalance vip inservice

loadbalance policy webl7policy

loadbalance vip icmp-reply active

loadbalance vip advertise active

ssl-proxy server testC

class web2

loadbalance vip inservice

loadbalance policy webl7policy2

loadbalance vip icmp-reply active

loadbalance vip advertise active

class CLASS-REDIRECT

loadbalance vip inservice

loadbalance policy POLICY-REDIRECT

loadbalance vip icmp-reply active

loadbalance vip advertise active

It seems the ACE is not capable of handling the response on port 80 and the redirection from 80 to 443 even if the url requested is different.

Connections to host-dummy2 shouldn't be redirected and should be served on port 80.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
dario.didio Fri, 04/10/2009 - 06:48

Hi,

you will never reach the class CLASS-REDIRECT because you will have a match on web2. They both match on 10.1.1.1:80.

What are you exactly trying to accomplish?

If I'm correct:

Traffic to 10.1.1.1:443 will be balanced over serverfarm webfarm and decrypted if the HOST header-value contains dummy-host.example.com. What should be done if the VIP matches but the header doesn't?

Traffic to 10.1.1.1:80 will be balanced over serverfarm webfarm if the HOST header-value contains dummy-host2.example.com. What should be done if the VIP matches but the header doesn't?

Traffic to 10.1.1.1:80 will be redirected to 10.1.1.1:443.

Is this correct?

Mehdi_ab Fri, 04/10/2009 - 10:23

Hello

>>you will never reach the class CLASS-REDIRECT because you will have a match on web2. They both match on 10.1.1.1:80.

There should be a match on "web2" only if Host header-value contains dummy-host2.example.com else traffic will reach CLASS-REDIRECT.

So if you target http://dummy-host.example.com, you will be redirected to https://dummy-host.example.com. Working.

If you target https://dummy-host.example.com, then you will reach the right serverfarm. Same as the one above. Working.

If you target http://dummy-host2.example.com, you should reach the serverfarm and NOT be redirected to https://dummy-host2.example.com... which is happening right now. Not working

dario.didio Mon, 04/13/2009 - 23:38

Hi,

If you want that to happen, I would do it like this:

create a single policy-map for 10.1.1.1:80 and:

- when your URL contains dummy-host2.example.com, loadbalance over the serverfarm, ELSE, redirect it.

policy-map type loadbalance http first-match webl7policy2

class L7web2

serverfarm webfarm

class class-default

serverfarm farm-https

The class-default catches everything the more specific class maps in before it don't match.

HTH,

Dario

Actions

This Discussion