ACE module redirect/rewrite issue

Unanswered Question
Jul 13th, 2009
User Badges:

I am having a redirect/rewrite problem with my ACE module. When the user types in https://citix.com and accepts the cert, I need the ace to add the following path to the url.../citrix/accessplatform/auth/login.aspx. That part works, but the page is returned as "http" and with the real server IP address in an unencrypted session versus https and the vip. I thought the action-list would fix this problem, but it had no effect. Any suggestions would be appreciated.


access-list IB extended permit ip any any


probe tcp connect

interval 5

faildetect 5

passdetect count 10

probe http web-connect

interval 5

passdetect count 6

request method get url /citrix/accessplatform/auth/login.aspx

expect status 200 302

connection term forced


parameter-map type http HTTP_Secure_Params

case-insensitive

persistence-rebalance

set header-maxparse-length 8192


action-list type modify http ACTION

ssl url rewrite location "172.16.252.50"

ssl url rewrite location "citrix"


rserver host citrix-01

ip address 172.16.252.10

inservice

rserver host citrix-02

ip address 172.16.252.11

inservice

rserver redirect citrix-redirect

webhost-redirection http://172.16.252.10/citrix/accessplatform/auth/login.aspx 301

inservice

rserver redirect citrix-redirect-02

webhost-redirection http://172.16.252.11/citrix/accessplatform/auth/login.aspx 301

inservice


ssl-proxy service SSL

key citrixkey

cert certnew.pem


serverfarm redirect Redirect-farm

rserver redirect citrix-redirect

inservice

rserver redirect citrix-redirect-02

inservice

serverfarm host citrix-farm

rserver citrix-01 81

inservice

rserver citrix-02 81

inservice


sticky http-cookie citrix.nnn citrix-sticky

timeout 720

replicate sticky

serverfarm Redirect-farm


class-map type http loadbalance match-any redirect

match http url citrix

class-map match-all HTTPS-VIP

match virtual-address 172.16.252.50 tcp eq https



policy-map type loadbalance first-match SLB

class class-default

sticky-serverfarm citrix-sticky

action ACTION

policy-map multi-match client-vip1

class HTTPS-VIP

loadbalance vip inservice

loadbalance policy SLB

loadbalance vip icmp-reply

appl-parameter http advanced-options HTTP_Secure_params

ssl-proxy server SSL


interface vlan 252

access-group input IB

service-policy input client-vip1

no shutdown



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Martin Kyrc Tue, 07/14/2009 - 03:35
User Badges:

Hi,

redirection is without http/https in the front. You can redirect only to another domain/path/.


You must correct define ssl rewrite condition. for example:


ssl url rewrite location DOMAIN-or-IP sslport 443 clearport 80


For you is DOAMIN-or-IP 172.16.252.10 and .11. Try it.


martin

mcroberts Tue, 07/14/2009 - 05:02
User Badges:

I added the "sslport 443 clearport 80" commands under the action-list and it seems that they are the default since they do not show up in the config.


Martin Kyrc Tue, 07/14/2009 - 05:05
User Badges:

right. sslport 443 and clearport 80 is default and it not shows in configuration. it works now (whit correct ip addresses) or not?

mcroberts Tue, 07/14/2009 - 05:24
User Badges:

I still have the same outcome. The user only sees "http" in the url versus the "https"

mcroberts Tue, 07/14/2009 - 05:25
User Badges:

I still have the same outcome. The user only sees "http" in the url versus the "https"

mcroberts Tue, 07/14/2009 - 05:25
User Badges:

I still have the same outcome. The user only sees "http" in the url versus the "https"

mcroberts Tue, 07/14/2009 - 05:35
User Badges:

access-list IB extended permit ip any any


probe tcp connect

interval 5

faildetect 5

passdetect count 10

probe http web-connect

interval 5

passdetect count 6

request method get url /citrix/accessplatform/auth/login.aspx

expect status 200 302

connection term forced


parameter-map type http HTTP_Secure_Params

case-insensitive

persistence-rebalance

set header-maxparse-length 8192


action-list type modify http ACTION

ssl url rewrite location "172.16.252.50"

ssl url rewrite location "citrix"


rserver host citrix-01

ip address 172.16.252.10

inservice

rserver host citrix-02

ip address 172.16.252.11

inservice

rserver redirect citrix-redirect

webhost-redirection http://172.16.252.10/citrix/accessplatform/auth/login.aspx 301

inservice

rserver redirect citrix-redirect-02

webhost-redirection http://172.16.252.11/citrix/accessplatform/auth/login.aspx 301

inservice


ssl-proxy service SSL

key citrixkey

cert certnew.pem


serverfarm redirect Redirect-farm

rserver redirect citrix-redirect

inservice

rserver redirect citrix-redirect-02

inservice

serverfarm host citrix-farm

rserver citrix-01 81

inservice

rserver citrix-02 81

inservice


sticky http-cookie citrix.nnn citrix-sticky

timeout 720

replicate sticky

serverfarm Redirect-farm


class-map type http loadbalance match-any redirect

match http url citrix

class-map match-all HTTPS-VIP

match virtual-address 172.16.252.50 tcp eq https



policy-map type loadbalance first-match SLB

class class-default

sticky-serverfarm citrix-sticky

action ACTION

policy-map multi-match client-vip1

class HTTPS-VIP

loadbalance vip inservice

loadbalance policy SLB

loadbalance vip icmp-reply

appl-parameter http advanced-options HTTP_Secure_params

ssl-proxy server SSL


interface vlan 252

access-group input IB

service-policy input client-vip1

no shutdown


Martin Kyrc Tue, 07/14/2009 - 05:46
User Badges:

this is correct??


rserver redirect citrix-redirect

webhost-redirection http://172.16.252.10/citrix/accessplatform/auth/login.aspx 301

inservice

rserver redirect citrix-redirect-02

webhost-redirection http://172.16.252.11/citrix/accessplatform/auth/login.aspx 301

inservice


it should be https instead http:


rserver redirect citrix-redirect

webhost-redirection httpS://172.16.252.10/citrix/accessplatform/auth/login.aspx 301

inservice

rserver redirect citrix-redirect-02

webhost-redirection httpS://172.16.252.11/citrix/accessplatform/auth/login.aspx 301

inservice

Martin Kyrc Tue, 07/14/2009 - 06:00
User Badges:

correct data flow for your configuration is:


1. client access https://172.16.252.50/

2. ACE send HTTP redirect (301) to client to http(s)://172.16.252.11/citrix/accessplatform/auth/login.aspx

3. browser receive this http redirect and tried get new url: http(s)://172.16.252.11/citrix/accessplatform/auth/login.aspx


^^ do you need this data flow?

mcroberts Tue, 07/14/2009 - 07:06
User Badges:

It does work when I go to that page with http only... the server is only listening on port 80.

Martin Kyrc Wed, 07/15/2009 - 00:12
User Badges:

:) ...here is a problem. ace send to client redirect to http and you need access from client to https (ssl terminated on ace? - if true, configuration is wrong, because as I wrote before your configuration has 3 steps - access to vip, redirect send to client, client access to new location).


It's clear?

mcroberts Wed, 07/15/2009 - 03:56
User Badges:

I am reworking the configuration later today and will post the new final. Thank you for the input.

Actions

This Discussion