ACE - Http to https redirect

Unanswered Question
Apr 10th, 2009
User Badges:

Hello All

Here is the config:


access-list any line 8 extended permit icmp any any

access-list any line 16 extended permit ip any any



probe http web

request method get url /index.html

expect status 200 200



parameter-map type ssl tesstC

cipher RSA_WITH_AES_128_CBC_SHA


rserver redirect REDIRECT-HTTPS

webhost-redirection https://%h%p

inservice

rserver host web1

ip address 192.168.0.2

inservice


ssl-proxy service testC

key ca.key

cert ca.crt

ssl advanced-options tesstC


serverfarm redirect farm-https

rserver REDIRECT-HTTPS

inservice

serverfarm host webfarm

probe web

rserver web1 80

inservice


class-map match-all CLASS-REDIRECT

2 match virtual-address 10.1.1.1 tcp eq www

class-map type http loadbalance match-all L7web

2 match http header Host header-value "dummy-host\.example\.com"

class-map type http loadbalance match-all L7web2

2 match http header Host header-value "dummy-host2\.example\.com"

class-map match-all web

2 match virtual-address 10.1.1.1 tcp eq https

class-map match-all web2

2 match virtual-address 10.1.1.1 tcp eq www


policy-map type loadbalance http first-match POLICY-REDIRECT

match test http url /*

class class-default

serverfarm farm-https

policy-map type loadbalance http first-match webl7policy

class L7web

serverfarm webfarm


policy-map type loadbalance http first-match webl7policy2

class L7web2

serverfarm webfarm


policy-map multi-match VIPs

class web

loadbalance vip inservice

loadbalance policy webl7policy

loadbalance vip icmp-reply active

loadbalance vip advertise active

ssl-proxy server testC

class web2

loadbalance vip inservice

loadbalance policy webl7policy2

loadbalance vip icmp-reply active

loadbalance vip advertise active

class CLASS-REDIRECT

loadbalance vip inservice

loadbalance policy POLICY-REDIRECT

loadbalance vip icmp-reply active

loadbalance vip advertise active



It seems the ACE is not capable of handling the response on port 80 and the redirection from 80 to 443 even if the url requested is different.

Connections to host-dummy2 shouldn't be redirected and should be served on port 80.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
dario.didio Fri, 04/10/2009 - 06:48
User Badges:
  • Silver, 250 points or more

Hi,


you will never reach the class CLASS-REDIRECT because you will have a match on web2. They both match on 10.1.1.1:80.


What are you exactly trying to accomplish?


If I'm correct:


Traffic to 10.1.1.1:443 will be balanced over serverfarm webfarm and decrypted if the HOST header-value contains dummy-host.example.com. What should be done if the VIP matches but the header doesn't?


Traffic to 10.1.1.1:80 will be balanced over serverfarm webfarm if the HOST header-value contains dummy-host2.example.com. What should be done if the VIP matches but the header doesn't?


Traffic to 10.1.1.1:80 will be redirected to 10.1.1.1:443.


Is this correct?

Mehdi_ab Fri, 04/10/2009 - 10:23
User Badges:

Hello

>>you will never reach the class CLASS-REDIRECT because you will have a match on web2. They both match on 10.1.1.1:80.

There should be a match on "web2" only if Host header-value contains dummy-host2.example.com else traffic will reach CLASS-REDIRECT.


So if you target http://dummy-host.example.com, you will be redirected to https://dummy-host.example.com. Working.


If you target https://dummy-host.example.com, then you will reach the right serverfarm. Same as the one above. Working.


If you target http://dummy-host2.example.com, you should reach the serverfarm and NOT be redirected to https://dummy-host2.example.com... which is happening right now. Not working

dario.didio Mon, 04/13/2009 - 23:38
User Badges:
  • Silver, 250 points or more

Hi,


If you want that to happen, I would do it like this:


create a single policy-map for 10.1.1.1:80 and:


- when your URL contains dummy-host2.example.com, loadbalance over the serverfarm, ELSE, redirect it.


policy-map type loadbalance http first-match webl7policy2

class L7web2

serverfarm webfarm

class class-default

serverfarm farm-https


The class-default catches everything the more specific class maps in before it don't match.


HTH,

Dario



Actions

This Discussion