cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1514
Views
0
Helpful
16
Replies

ACE module redirect/rewrite issue

mcroberts
Level 1
Level 1

I am having a redirect/rewrite problem with my ACE module. When the user types in https://citix.com and accepts the cert, I need the ace to add the following path to the url.../citrix/accessplatform/auth/login.aspx. That part works, but the page is returned as "http" and with the real server IP address in an unencrypted session versus https and the vip. I thought the action-list would fix this problem, but it had no effect. Any suggestions would be appreciated.

access-list IB extended permit ip any any

probe tcp connect

interval 5

faildetect 5

passdetect count 10

probe http web-connect

interval 5

passdetect count 6

request method get url /citrix/accessplatform/auth/login.aspx

expect status 200 302

connection term forced

parameter-map type http HTTP_Secure_Params

case-insensitive

persistence-rebalance

set header-maxparse-length 8192

action-list type modify http ACTION

ssl url rewrite location "172.16.252.50"

ssl url rewrite location "citrix"

rserver host citrix-01

ip address 172.16.252.10

inservice

rserver host citrix-02

ip address 172.16.252.11

inservice

rserver redirect citrix-redirect

webhost-redirection http://172.16.252.10/citrix/accessplatform/auth/login.aspx 301

inservice

rserver redirect citrix-redirect-02

webhost-redirection http://172.16.252.11/citrix/accessplatform/auth/login.aspx 301

inservice

ssl-proxy service SSL

key citrixkey

cert certnew.pem

serverfarm redirect Redirect-farm

rserver redirect citrix-redirect

inservice

rserver redirect citrix-redirect-02

inservice

serverfarm host citrix-farm

rserver citrix-01 81

inservice

rserver citrix-02 81

inservice

sticky http-cookie citrix.nnn citrix-sticky

timeout 720

replicate sticky

serverfarm Redirect-farm

class-map type http loadbalance match-any redirect

match http url citrix

class-map match-all HTTPS-VIP

match virtual-address 172.16.252.50 tcp eq https

policy-map type loadbalance first-match SLB

class class-default

sticky-serverfarm citrix-sticky

action ACTION

policy-map multi-match client-vip1

class HTTPS-VIP

loadbalance vip inservice

loadbalance policy SLB

loadbalance vip icmp-reply

appl-parameter http advanced-options HTTP_Secure_params

ssl-proxy server SSL

interface vlan 252

access-group input IB

service-policy input client-vip1

no shutdown

16 Replies 16

Martin Kyrc
Level 3
Level 3

Hi,

redirection is without http/https in the front. You can redirect only to another domain/path/.

You must correct define ssl rewrite condition. for example:

ssl url rewrite location DOMAIN-or-IP sslport 443 clearport 80

For you is DOAMIN-or-IP 172.16.252.10 and .11. Try it.

martin

I added the "sslport 443 clearport 80" commands under the action-list and it seems that they are the default since they do not show up in the config.

right. sslport 443 and clearport 80 is default and it not shows in configuration. it works now (whit correct ip addresses) or not?

I still have the same outcome. The user only sees "http" in the url versus the "https"

I still have the same outcome. The user only sees "http" in the url versus the "https"

I still have the same outcome. The user only sees "http" in the url versus the "https"

can you attach current configuration?

access-list IB extended permit ip any any

probe tcp connect

interval 5

faildetect 5

passdetect count 10

probe http web-connect

interval 5

passdetect count 6

request method get url /citrix/accessplatform/auth/login.aspx

expect status 200 302

connection term forced

parameter-map type http HTTP_Secure_Params

case-insensitive

persistence-rebalance

set header-maxparse-length 8192

action-list type modify http ACTION

ssl url rewrite location "172.16.252.50"

ssl url rewrite location "citrix"

rserver host citrix-01

ip address 172.16.252.10

inservice

rserver host citrix-02

ip address 172.16.252.11

inservice

rserver redirect citrix-redirect

webhost-redirection http://172.16.252.10/citrix/accessplatform/auth/login.aspx 301

inservice

rserver redirect citrix-redirect-02

webhost-redirection http://172.16.252.11/citrix/accessplatform/auth/login.aspx 301

inservice

ssl-proxy service SSL

key citrixkey

cert certnew.pem

serverfarm redirect Redirect-farm

rserver redirect citrix-redirect

inservice

rserver redirect citrix-redirect-02

inservice

serverfarm host citrix-farm

rserver citrix-01 81

inservice

rserver citrix-02 81

inservice

sticky http-cookie citrix.nnn citrix-sticky

timeout 720

replicate sticky

serverfarm Redirect-farm

class-map type http loadbalance match-any redirect

match http url citrix

class-map match-all HTTPS-VIP

match virtual-address 172.16.252.50 tcp eq https

policy-map type loadbalance first-match SLB

class class-default

sticky-serverfarm citrix-sticky

action ACTION

policy-map multi-match client-vip1

class HTTPS-VIP

loadbalance vip inservice

loadbalance policy SLB

loadbalance vip icmp-reply

appl-parameter http advanced-options HTTP_Secure_params

ssl-proxy server SSL

interface vlan 252

access-group input IB

service-policy input client-vip1

no shutdown

this is correct??

rserver redirect citrix-redirect

webhost-redirection http://172.16.252.10/citrix/accessplatform/auth/login.aspx 301

inservice

rserver redirect citrix-redirect-02

webhost-redirection http://172.16.252.11/citrix/accessplatform/auth/login.aspx 301

inservice

it should be https instead http:

rserver redirect citrix-redirect

webhost-redirection httpS://172.16.252.10/citrix/accessplatform/auth/login.aspx 301

inservice

rserver redirect citrix-redirect-02

webhost-redirection httpS://172.16.252.11/citrix/accessplatform/auth/login.aspx 301

inservice

I tried that a couple of times. Once I accept the cert, the page times out and does not display with the vip in the url --> https://172.16.252.50

correct data flow for your configuration is:

1. client access https://172.16.252.50/

2. ACE send HTTP redirect (301) to client to http(s)://172.16.252.11/citrix/accessplatform/auth/login.aspx

3. browser receive this http redirect and tried get new url: http(s)://172.16.252.11/citrix/accessplatform/auth/login.aspx

^^ do you need this data flow?

yes.

ok and when you get direct from browser this page: https://172.16.252.11/citrix/accessplatform/auth/login.aspx, it works?

because I think, configuration is correct. Try tcpdump from client side (wireshark from client pc) and check if ace send corect http redirect to https://...)

It does work when I go to that page with http only... the server is only listening on port 80.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: