ACE module redirect/rewrite issue

Unanswered Question
Jul 13th, 2009

I am having a redirect/rewrite problem with my ACE module. When the user types in https://citix.com and accepts the cert, I need the ace to add the following path to the url.../citrix/accessplatform/auth/login.aspx. That part works, but the page is returned as "http" and with the real server IP address in an unencrypted session versus https and the vip. I thought the action-list would fix this problem, but it had no effect. Any suggestions would be appreciated.

access-list IB extended permit ip any any

probe tcp connect

interval 5

faildetect 5

passdetect count 10

probe http web-connect

interval 5

passdetect count 6

request method get url /citrix/accessplatform/auth/login.aspx

expect status 200 302

connection term forced

parameter-map type http HTTP_Secure_Params

case-insensitive

persistence-rebalance

set header-maxparse-length 8192

action-list type modify http ACTION

ssl url rewrite location "172.16.252.50"

ssl url rewrite location "citrix"

rserver host citrix-01

ip address 172.16.252.10

inservice

rserver host citrix-02

ip address 172.16.252.11

inservice

rserver redirect citrix-redirect

webhost-redirection http://172.16.252.10/citrix/accessplatform/auth/login.aspx 301

inservice

rserver redirect citrix-redirect-02

webhost-redirection http://172.16.252.11/citrix/accessplatform/auth/login.aspx 301

inservice

ssl-proxy service SSL

key citrixkey

cert certnew.pem

serverfarm redirect Redirect-farm

rserver redirect citrix-redirect

inservice

rserver redirect citrix-redirect-02

inservice

serverfarm host citrix-farm

rserver citrix-01 81

inservice

rserver citrix-02 81

inservice

sticky http-cookie citrix.nnn citrix-sticky

timeout 720

replicate sticky

serverfarm Redirect-farm

class-map type http loadbalance match-any redirect

match http url citrix

class-map match-all HTTPS-VIP

match virtual-address 172.16.252.50 tcp eq https

policy-map type loadbalance first-match SLB

class class-default

sticky-serverfarm citrix-sticky

action ACTION

policy-map multi-match client-vip1

class HTTPS-VIP

loadbalance vip inservice

loadbalance policy SLB

loadbalance vip icmp-reply

appl-parameter http advanced-options HTTP_Secure_params

ssl-proxy server SSL

interface vlan 252

access-group input IB

service-policy input client-vip1

no shutdown

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Martin Kyrc Tue, 07/14/2009 - 03:35

Hi,

redirection is without http/https in the front. You can redirect only to another domain/path/.

You must correct define ssl rewrite condition. for example:

ssl url rewrite location DOMAIN-or-IP sslport 443 clearport 80

For you is DOAMIN-or-IP 172.16.252.10 and .11. Try it.

martin

mcroberts Tue, 07/14/2009 - 05:02

I added the "sslport 443 clearport 80" commands under the action-list and it seems that they are the default since they do not show up in the config.

Martin Kyrc Tue, 07/14/2009 - 05:05

right. sslport 443 and clearport 80 is default and it not shows in configuration. it works now (whit correct ip addresses) or not?

mcroberts Tue, 07/14/2009 - 05:24

I still have the same outcome. The user only sees "http" in the url versus the "https"

mcroberts Tue, 07/14/2009 - 05:25

I still have the same outcome. The user only sees "http" in the url versus the "https"

mcroberts Tue, 07/14/2009 - 05:25

I still have the same outcome. The user only sees "http" in the url versus the "https"

mcroberts Tue, 07/14/2009 - 05:35

access-list IB extended permit ip any any

probe tcp connect

interval 5

faildetect 5

passdetect count 10

probe http web-connect

interval 5

passdetect count 6

request method get url /citrix/accessplatform/auth/login.aspx

expect status 200 302

connection term forced

parameter-map type http HTTP_Secure_Params

case-insensitive

persistence-rebalance

set header-maxparse-length 8192

action-list type modify http ACTION

ssl url rewrite location "172.16.252.50"

ssl url rewrite location "citrix"

rserver host citrix-01

ip address 172.16.252.10

inservice

rserver host citrix-02

ip address 172.16.252.11

inservice

rserver redirect citrix-redirect

webhost-redirection http://172.16.252.10/citrix/accessplatform/auth/login.aspx 301

inservice

rserver redirect citrix-redirect-02

webhost-redirection http://172.16.252.11/citrix/accessplatform/auth/login.aspx 301

inservice

ssl-proxy service SSL

key citrixkey

cert certnew.pem

serverfarm redirect Redirect-farm

rserver redirect citrix-redirect

inservice

rserver redirect citrix-redirect-02

inservice

serverfarm host citrix-farm

rserver citrix-01 81

inservice

rserver citrix-02 81

inservice

sticky http-cookie citrix.nnn citrix-sticky

timeout 720

replicate sticky

serverfarm Redirect-farm

class-map type http loadbalance match-any redirect

match http url citrix

class-map match-all HTTPS-VIP

match virtual-address 172.16.252.50 tcp eq https

policy-map type loadbalance first-match SLB

class class-default

sticky-serverfarm citrix-sticky

action ACTION

policy-map multi-match client-vip1

class HTTPS-VIP

loadbalance vip inservice

loadbalance policy SLB

loadbalance vip icmp-reply

appl-parameter http advanced-options HTTP_Secure_params

ssl-proxy server SSL

interface vlan 252

access-group input IB

service-policy input client-vip1

no shutdown

Martin Kyrc Tue, 07/14/2009 - 05:46

this is correct??

rserver redirect citrix-redirect

webhost-redirection http://172.16.252.10/citrix/accessplatform/auth/login.aspx 301

inservice

rserver redirect citrix-redirect-02

webhost-redirection http://172.16.252.11/citrix/accessplatform/auth/login.aspx 301

inservice

it should be https instead http:

rserver redirect citrix-redirect

webhost-redirection httpS://172.16.252.10/citrix/accessplatform/auth/login.aspx 301

inservice

rserver redirect citrix-redirect-02

webhost-redirection httpS://172.16.252.11/citrix/accessplatform/auth/login.aspx 301

inservice

Martin Kyrc Tue, 07/14/2009 - 06:00

correct data flow for your configuration is:

1. client access https://172.16.252.50/

2. ACE send HTTP redirect (301) to client to http(s)://172.16.252.11/citrix/accessplatform/auth/login.aspx

3. browser receive this http redirect and tried get new url: http(s)://172.16.252.11/citrix/accessplatform/auth/login.aspx

^^ do you need this data flow?

mcroberts Tue, 07/14/2009 - 07:06

It does work when I go to that page with http only... the server is only listening on port 80.

Martin Kyrc Wed, 07/15/2009 - 00:12

:) ...here is a problem. ace send to client redirect to http and you need access from client to https (ssl terminated on ace? - if true, configuration is wrong, because as I wrote before your configuration has 3 steps - access to vip, redirect send to client, client access to new location).

It's clear?

mcroberts Wed, 07/15/2009 - 03:56

I am reworking the configuration later today and will post the new final. Thank you for the input.

Actions

This Discussion