ACE SSL url rewrite issue

Unanswered Question
May 7th, 2009
User Badges:

Hello


I've tried to configure the SSL url rewrite function in the ACE module.


I found in the config guide that it should only works when the location field in the HTTP redirect header matches the entry in the action-list type modify http.


What I found strange is that the ssl URL rewrite works even if I put any value in the action-list.


Does anybody know how it should really works ?


Thanks in advance


Regards


Lucas

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Gilles Dufour Fri, 05/08/2009 - 00:34
User Badges:
  • Cisco Employee,

switch/Admin(config-actlist-modify)# ssl url rewrite location ?

Enter URL expression for rewrite (Max Size - 255)



This command will tell ACE to inspect the server response, intercept 30x redirect message, then match the location field based on the regular expression, and if there is a match, replace http:// with https://


G.

lukaszkhalil Fri, 05/08/2009 - 02:14
User Badges:

That what I found in the config guide, but I also found out that the reg exp does not need to match the value in the location field. Whatever I put in the URL expression let me replace HTTP with HTTPS.

yves.haemmerli Wed, 05/20/2009 - 06:19
User Badges:

Hi,


What ACE module software version do you have ? I have version A2(1.2) and I am experiencing exactly the opposite situation : The URL rewrite does not work at all. I tried several regular expressions, but without any success.


The only difference I have compared to the user guide is that the location header sent by the server is an IP address and not a DNS name...


In the config heareafter, I try to match everything in the location field, so any redirect 30x will be rewritten to https. But it does not work. More specific expression like 10\.56\.5\23 does not work either.


action-list type modify http SSL_REWRITE_CWI

ssl url rewrite location ".*"


policy-map type loadbalance http first-match L7_POLICY_CWI_SSL

class class-default

sticky-serverfarm CWI_STICKY

action SSL_REWRITE_CWI

insert-http Source-IP header-value "%is"



Did you reveive an answer for your problem ?


Thanks,


Yves


Gilles Dufour Wed, 05/20/2009 - 07:27
User Badges:
  • Cisco Employee,

Yves,

make sure your server location header name is exactly "Location" (uppercase L and all other letters lower case).

Anything else will not work.


Gilles.

yves.haemmerli Wed, 05/20/2009 - 08:08
User Badges:

Hi Gilles,


Yes, I have seen a post on this topic and I confirm that le Location header in the redirection message from the server is correctly spelled.


I attach a picture from HTTPWatch on which you can see the 301 redirection (generating an error), followed by a GET in clear text, followed by a 302 redirection, which is my general http to https redirection configuration.


Note that I use a wildcard ".*" as URL matching criteria.


Here is my complete config for this service:


probe tcp CWI_PROBE

interval 5

passdetect interval 5

passdetect count 2


action-list type modify http SSL_REWRITE_CWI

ssl url rewrite location ".*"


rserver redirect CWI_SSL_REDIRECT

description *** Redirects http to https ***

webhost-redirection https://%h/%p 302

inservice


rserver host HQCHVMWI01

description *** Citrix Web Interface Server ***

ip address 10.56.5.216

inservice

rserver host HQCHVMWI02

description *** Citrix Web Interface Server ***

ip address 10.56.5.217

inservice


ssl-proxy service SSL_CWI

key myapps.nespresso.com_key.pem

cert myapps.nespresso.com_cert.pem


serverfarm host CWI_FARM_PROD

description *** Citrix Web Access Server farm ***

probe CWI_PROBE

rserver HQCHVMWI01 80

inservice

rserver HQCHVMWI02 80

inservice


serverfarm redirect CWI_REDIRECT_FARM

rserver CWI_SSL_REDIRECT

inservice


sticky http-cookie STICKED-TO CWI_STICKY

cookie insert browser-expire

timeout 240

replicate sticky

serverfarm CWI_FARM_PROD


class-map match-all L4_CLASS_CWI_HTTP

description *** Citrix Web INterface on port 80 ***

2 match virtual-address 10.56.5.23 tcp eq www


class-map match-all L4_CLASS_CWI_HTTPS

description *** Citrix Web Interface on port 443 ***

2 match virtual-address 10.56.5.23 tcp eq https


class-map type http loadbalance match-any L7_CLASS_CWI

2 match http url /.*


policy-map type loadbalance http first-match L7_POLICY_CWI

class L7_CLASS_CWI

serverfarm CWI_REDIRECT_FARM


policy-map type loadbalance http first-match L7_POLICY_CWI_SSL

class class-default

sticky-serverfarm CWI_STICKY

insert-http Source-IP header-value "%is"


policy-map multi-match VIP_PROD

class L4_CLASS_CWI_HTTPS

loadbalance vip inservice

loadbalance policy L7_POLICY_CWI_SSL

loadbalance vip icmp-reply active

nat dynamic 3 vlan 300

ssl-proxy server SSL_CWI

class L4_CLASS_CWI_HTTP

loadbalance vip inservice

loadbalance policy L7_POLICY_CWI

loadbalance vip icmp-reply active


interface vlan 300

description *** ACE Production Interface ***

.

.

nat-pool 3 10.56.5.24 10.56.5.24 netmask 255.255.255.255 pat

.

.


I can see that the rewrite counter dos not increment.



I have version A2(1.2) and did not found any referenced bug on this version, except the spelling .


Thank you for any help


Yves




yves.haemmerli Wed, 05/20/2009 - 08:13
User Badges:

Gilles,


A cut and past mistake in my previous append : The action-list IS applied on the L7 Policy-map ....


Here again my config :


probe tcp CWI_PROBE

interval 5

passdetect interval 5

passdetect count 2


action-list type modify http SSL_REWRITE_CWI

ssl url rewrite location ".*"


rserver redirect CWI_SSL_REDIRECT

description *** Redirects http to https ***

webhost-redirection https://%h/%p 302

inservice


rserver host HQCHVMWI01

description *** Citrix Web Interface Server ***

ip address 10.56.5.216

inservice

rserver host HQCHVMWI02

description *** Citrix Web Interface Server ***

ip address 10.56.5.217

inservice


ssl-proxy service SSL_CWI

key myapps.nespresso.com_key.pem

cert myapps.nespresso.com_cert.pem


serverfarm host CWI_FARM_PROD

description *** Citrix Web Access Server farm ***

probe CWI_PROBE

rserver HQCHVMWI01 80

inservice

rserver HQCHVMWI02 80

inservice


serverfarm redirect CWI_REDIRECT_FARM

rserver CWI_SSL_REDIRECT

inservice


sticky http-cookie STICKED-TO CWI_STICKY

cookie insert browser-expire

timeout 240

replicate sticky

serverfarm CWI_FARM_PROD


class-map match-all L4_CLASS_CWI_HTTP

description *** Citrix Web INterface on port 80 ***

2 match virtual-address 10.56.5.23 tcp eq www


class-map match-all L4_CLASS_CWI_HTTPS

description *** Citrix Web Interface on port 443 ***

2 match virtual-address 10.56.5.23 tcp eq https


class-map type http loadbalance match-any L7_CLASS_CWI

2 match http url /.*


policy-map type loadbalance http first-match L7_POLICY_CWI

class L7_CLASS_CWI

serverfarm CWI_REDIRECT_FARM


policy-map type loadbalance http first-match L7_POLICY_CWI_SSL

class class-default

sticky-serverfarm CWI_STICKY

action SSL_REWRITE_CWI

insert-http Source-IP header-value "%is"


policy-map multi-match VIP_PROD

class L4_CLASS_CWI_HTTPS

loadbalance vip inservice

loadbalance policy L7_POLICY_CWI_SSL

loadbalance vip icmp-reply active

nat dynamic 3 vlan 300

ssl-proxy server SSL_CWI

class L4_CLASS_CWI_HTTP

loadbalance vip inservice

loadbalance policy L7_POLICY_CWI

loadbalance vip icmp-reply active


interface vlan 300

description *** ACE Production Interface ***

.

.

nat-pool 3 10.56.5.24 10.56.5.24 netmask 255.255.255.255 pat

.

.


yves.haemmerli Thu, 05/21/2009 - 00:26
User Badges:

Hi Gilles,


May I ask you if you found something wrong in my SSL Rewrite configuration above ? I tested with other match criterias, but it definitely does not work. I also did not found any related bug in the bug toolkit (except the one withe the header spelling).


Would it be maybe possible that SSL rewrite is incompatible with source-ip insert ?



policy-map type loadbalance http first-match L7_POLICY_CWI_SSL

class class-default

sticky-serverfarm CWI_STICKY

action SSL_REWRITE_CWI

insert-http Source-IP header-value "%is"



Thank you for your help


Yves


sachinga.hcl Thu, 05/21/2009 - 05:05
User Badges:
  • Silver, 250 points or more

Hi Yves,



Kindly send me the output of the following command:


host1/Admin# show parameter-map OPTIMIZE_PARAM_MAP


Kindly see the following url for my other postings:


http://boardreader.com/fp/Cisco_Systems_Networking_Profe_309110/Application_Networking_543840.html#hot_threads



Kindly refer following example:


Configure ACE with SSL Termination and URL Rewrite


http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c3045.shtml



Kind regards


Sachinga.hcl

Gilles Dufour Thu, 05/21/2009 - 07:20
User Badges:
  • Cisco Employee,

Yves,


everything looks good.

Can you try without the insert header ?

I'll give it a try myself if I find some time tomorrow.


G.

yves.haemmerli Thu, 05/21/2009 - 07:38
User Badges:

Gilles,


Yes, I will ask the customer to make the test tomorrow and let you know on the result. If by chance you can do the test also its great.


Thank you for help


Yves

yves.haemmerli Tue, 05/26/2009 - 22:34
User Badges:

Gilles,


We tested the SSL rewrite by removing the source-ip insert, but the problem remain the same.


BUT, we discovered a strange thing : With Firefox, it works, the ACE correctly changes the Location tag from http to https and the rewrite counter increments. But with Microsoft IE, it does not...


This sounds strange because the URL rewrite occurs on the server response, not on the browser request..


I plan to trace the packet coming in and going out of the ACE to see what the problem could be.


Do you have any idea on this ?


Thank you


Yves

Gilles Dufour Tue, 05/26/2009 - 23:48
User Badges:
  • Cisco Employee,

Yves,


very weird.

But IE is known to do strange stuff.


If could capture a trace and check with Wireshark and the server private key (to decode the https traffic) what is the response from ACE that would help.


Everything looks good in my lab.


G.

yves.haemmerli Thu, 06/04/2009 - 05:10
User Badges:

Hi Gilles,


After several traces and analysis, I found the problem of the SSL rewrite not working with IE


With Firefox, each GET request establishes a new SSL session and therefore the ACE starts a new load balancing evaluation. In this case, SSL rewrite works well. With IE however, several GET requests are sent in the same TCP session (actually a best method). But in this case, we HAVE TO enable persistence-rebalance to force the ACE to re-evaluate each request for load balancing, else, the SSL rewrite does not work. As I use sticky with a cookie, this does not caus a problem.


So, I added added the following configuration and everythings work fine now :


parameter-map type http CWI_HTTP_PARAM

persistence-rebalance


policy-map multi-match VIP_PROD

class L4_CLASS_CWI_HTTPS

loadbalance vip inservice

loadbalance policy L7_POLICY_CWI_SSL

loadbalance vip icmp-reply active

nat dynamic 3 vlan 300

appl-parameter http advanced-options CWI_HTTP_PARAM

ssl-proxy server SSL_CWI



Yves

Actions

This Discussion