05-07-2009 10:41 AM
Hello
I've tried to configure the SSL url rewrite function in the ACE module.
I found in the config guide that it should only works when the location field in the HTTP redirect header matches the entry in the action-list type modify http.
What I found strange is that the ssl URL rewrite works even if I put any value in the action-list.
Does anybody know how it should really works ?
Thanks in advance
Regards
Lucas
05-08-2009 12:34 AM
switch/Admin(config-actlist-modify)# ssl url rewrite location ?
This command will tell ACE to inspect the server response, intercept 30x redirect message, then match the location field based on the regular expression, and if there is a match, replace http:// with https://
G.
05-08-2009 02:14 AM
That what I found in the config guide, but I also found out that the reg exp does not need to match the value in the location field. Whatever I put in the URL expression let me replace HTTP with HTTPS.
05-20-2009 06:19 AM
Hi,
What ACE module software version do you have ? I have version A2(1.2) and I am experiencing exactly the opposite situation : The URL rewrite does not work at all. I tried several regular expressions, but without any success.
The only difference I have compared to the user guide is that the location header sent by the server is an IP address and not a DNS name...
In the config heareafter, I try to match everything in the location field, so any redirect 30x will be rewritten to https. But it does not work. More specific expression like 10\.56\.5\23 does not work either.
action-list type modify http SSL_REWRITE_CWI
ssl url rewrite location ".*"
policy-map type loadbalance http first-match L7_POLICY_CWI_SSL
class class-default
sticky-serverfarm CWI_STICKY
action SSL_REWRITE_CWI
insert-http Source-IP header-value "%is"
Did you reveive an answer for your problem ?
Thanks,
Yves
05-20-2009 07:27 AM
Yves,
make sure your server location header name is exactly "Location" (uppercase L and all other letters lower case).
Anything else will not work.
Gilles.
05-20-2009 08:08 AM
Hi Gilles,
Yes, I have seen a post on this topic and I confirm that le Location header in the redirection message from the server is correctly spelled.
I attach a picture from HTTPWatch on which you can see the 301 redirection (generating an error), followed by a GET in clear text, followed by a 302 redirection, which is my general http to https redirection configuration.
Note that I use a wildcard ".*" as URL matching criteria.
Here is my complete config for this service:
probe tcp CWI_PROBE
interval 5
passdetect interval 5
passdetect count 2
action-list type modify http SSL_REWRITE_CWI
ssl url rewrite location ".*"
rserver redirect CWI_SSL_REDIRECT
description *** Redirects http to https ***
webhost-redirection https://%h/%p 302
inservice
rserver host HQCHVMWI01
description *** Citrix Web Interface Server ***
ip address 10.56.5.216
inservice
rserver host HQCHVMWI02
description *** Citrix Web Interface Server ***
ip address 10.56.5.217
inservice
ssl-proxy service SSL_CWI
key myapps.nespresso.com_key.pem
cert myapps.nespresso.com_cert.pem
serverfarm host CWI_FARM_PROD
description *** Citrix Web Access Server farm ***
probe CWI_PROBE
rserver HQCHVMWI01 80
inservice
rserver HQCHVMWI02 80
inservice
serverfarm redirect CWI_REDIRECT_FARM
rserver CWI_SSL_REDIRECT
inservice
sticky http-cookie STICKED-TO CWI_STICKY
cookie insert browser-expire
timeout 240
replicate sticky
serverfarm CWI_FARM_PROD
class-map match-all L4_CLASS_CWI_HTTP
description *** Citrix Web INterface on port 80 ***
2 match virtual-address 10.56.5.23 tcp eq www
class-map match-all L4_CLASS_CWI_HTTPS
description *** Citrix Web Interface on port 443 ***
2 match virtual-address 10.56.5.23 tcp eq https
class-map type http loadbalance match-any L7_CLASS_CWI
2 match http url /.*
policy-map type loadbalance http first-match L7_POLICY_CWI
class L7_CLASS_CWI
serverfarm CWI_REDIRECT_FARM
policy-map type loadbalance http first-match L7_POLICY_CWI_SSL
class class-default
sticky-serverfarm CWI_STICKY
insert-http Source-IP header-value "%is"
policy-map multi-match VIP_PROD
class L4_CLASS_CWI_HTTPS
loadbalance vip inservice
loadbalance policy L7_POLICY_CWI_SSL
loadbalance vip icmp-reply active
nat dynamic 3 vlan 300
ssl-proxy server SSL_CWI
class L4_CLASS_CWI_HTTP
loadbalance vip inservice
loadbalance policy L7_POLICY_CWI
loadbalance vip icmp-reply active
interface vlan 300
description *** ACE Production Interface ***
.
.
nat-pool 3 10.56.5.24 10.56.5.24 netmask 255.255.255.255 pat
.
.
I can see that the rewrite counter dos not increment.
I have version A2(1.2) and did not found any referenced bug on this version, except the spelling .
Thank you for any help
Yves
05-20-2009 08:13 AM
Gilles,
A cut and past mistake in my previous append : The action-list IS applied on the L7 Policy-map ....
Here again my config :
probe tcp CWI_PROBE
interval 5
passdetect interval 5
passdetect count 2
action-list type modify http SSL_REWRITE_CWI
ssl url rewrite location ".*"
rserver redirect CWI_SSL_REDIRECT
description *** Redirects http to https ***
webhost-redirection https://%h/%p 302
inservice
rserver host HQCHVMWI01
description *** Citrix Web Interface Server ***
ip address 10.56.5.216
inservice
rserver host HQCHVMWI02
description *** Citrix Web Interface Server ***
ip address 10.56.5.217
inservice
ssl-proxy service SSL_CWI
key myapps.nespresso.com_key.pem
cert myapps.nespresso.com_cert.pem
serverfarm host CWI_FARM_PROD
description *** Citrix Web Access Server farm ***
probe CWI_PROBE
rserver HQCHVMWI01 80
inservice
rserver HQCHVMWI02 80
inservice
serverfarm redirect CWI_REDIRECT_FARM
rserver CWI_SSL_REDIRECT
inservice
sticky http-cookie STICKED-TO CWI_STICKY
cookie insert browser-expire
timeout 240
replicate sticky
serverfarm CWI_FARM_PROD
class-map match-all L4_CLASS_CWI_HTTP
description *** Citrix Web INterface on port 80 ***
2 match virtual-address 10.56.5.23 tcp eq www
class-map match-all L4_CLASS_CWI_HTTPS
description *** Citrix Web Interface on port 443 ***
2 match virtual-address 10.56.5.23 tcp eq https
class-map type http loadbalance match-any L7_CLASS_CWI
2 match http url /.*
policy-map type loadbalance http first-match L7_POLICY_CWI
class L7_CLASS_CWI
serverfarm CWI_REDIRECT_FARM
policy-map type loadbalance http first-match L7_POLICY_CWI_SSL
class class-default
sticky-serverfarm CWI_STICKY
action SSL_REWRITE_CWI
insert-http Source-IP header-value "%is"
policy-map multi-match VIP_PROD
class L4_CLASS_CWI_HTTPS
loadbalance vip inservice
loadbalance policy L7_POLICY_CWI_SSL
loadbalance vip icmp-reply active
nat dynamic 3 vlan 300
ssl-proxy server SSL_CWI
class L4_CLASS_CWI_HTTP
loadbalance vip inservice
loadbalance policy L7_POLICY_CWI
loadbalance vip icmp-reply active
interface vlan 300
description *** ACE Production Interface ***
.
.
nat-pool 3 10.56.5.24 10.56.5.24 netmask 255.255.255.255 pat
.
.
05-21-2009 12:26 AM
Hi Gilles,
May I ask you if you found something wrong in my SSL Rewrite configuration above ? I tested with other match criterias, but it definitely does not work. I also did not found any related bug in the bug toolkit (except the one withe the header spelling).
Would it be maybe possible that SSL rewrite is incompatible with source-ip insert ?
policy-map type loadbalance http first-match L7_POLICY_CWI_SSL
class class-default
sticky-serverfarm CWI_STICKY
action SSL_REWRITE_CWI
insert-http Source-IP header-value "%is"
Thank you for your help
Yves
05-21-2009 05:05 AM
Hi Yves,
Kindly send me the output of the following command:
host1/Admin# show parameter-map OPTIMIZE_PARAM_MAP
Kindly see the following url for my other postings:
Kindly refer following example:
Configure ACE with SSL Termination and URL Rewrite
Kind regards
Sachinga.hcl
05-21-2009 05:09 AM
for action list kindly see
for list of all parameters kindly find below url:
Configure ACE with Source NAT and Client IP Header Insert
05-21-2009 07:20 AM
Yves,
everything looks good.
Can you try without the insert header ?
I'll give it a try myself if I find some time tomorrow.
G.
05-21-2009 07:38 AM
Gilles,
Yes, I will ask the customer to make the test tomorrow and let you know on the result. If by chance you can do the test also its great.
Thank you for help
Yves
05-26-2009 10:34 PM
Gilles,
We tested the SSL rewrite by removing the source-ip insert, but the problem remain the same.
BUT, we discovered a strange thing : With Firefox, it works, the ACE correctly changes the Location tag from http to https and the rewrite counter increments. But with Microsoft IE, it does not...
This sounds strange because the URL rewrite occurs on the server response, not on the browser request..
I plan to trace the packet coming in and going out of the ACE to see what the problem could be.
Do you have any idea on this ?
Thank you
Yves
05-26-2009 11:48 PM
Yves,
very weird.
But IE is known to do strange stuff.
If could capture a trace and check with Wireshark and the server private key (to decode the https traffic) what is the response from ACE that would help.
Everything looks good in my lab.
G.
06-04-2009 05:10 AM
Hi Gilles,
After several traces and analysis, I found the problem of the SSL rewrite not working with IE
With Firefox, each GET request establishes a new SSL session and therefore the ACE starts a new load balancing evaluation. In this case, SSL rewrite works well. With IE however, several GET requests are sent in the same TCP session (actually a best method). But in this case, we HAVE TO enable persistence-rebalance to force the ACE to re-evaluate each request for load balancing, else, the SSL rewrite does not work. As I use sticky with a cookie, this does not caus a problem.
So, I added added the following configuration and everythings work fine now :
parameter-map type http CWI_HTTP_PARAM
persistence-rebalance
policy-map multi-match VIP_PROD
class L4_CLASS_CWI_HTTPS
loadbalance vip inservice
loadbalance policy L7_POLICY_CWI_SSL
loadbalance vip icmp-reply active
nat dynamic 3 vlan 300
appl-parameter http advanced-options CWI_HTTP_PARAM
ssl-proxy server SSL_CWI
Yves
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: