ACE http/https redirect or rewrite

Unanswered Question
Jul 20th, 2009
User Badges:


We have a setup that requires ACE http/https redirection or rewrite.

A client connects to a secured Web portal which has its ssl termination on the ACE.

The web portal will request from the client a redirection to another application. As the portal is unaware that the incoming client https request was terminated on the ACE,

the client receives the redirect request for an unsecured http URL rather than for the secured https URL.

In this case what would be best to use? ACE "rewrite" or "redirect"?

Will the following example config for ACE "redirect" be sufficent to implement this?


ssl-proxy service ssl-App-443-81



rserver redirect App-secure-redirect



serverfarm redirect App-secure-redirect-sf

rserver App-secure-redirect


serverfarm host App-81-sf

probe TCP81

rserver proxy1 81


rserver proxy2 81


parameter-map type http http_param_map

header modify per-request

sticky http-cookie App-cookie App-sticky

cookie insert

replicate sticky

serverfarm App-81-sf

class-map match-any App-443-81-cm

2 match virtual-address tcp eq https

class-map match-any App-81-cm

2 match virtual-address tcp eq 81

class-map type http loadbalance App-secure-redirect-cm

match http url

policy-map type loadbalance http first-match App-rewrite-pm

class App-secure-redirect-cm

serverfarm App-secure-redirect-sf

policy-map type loadbalance http first-match App-sticky-443-81-pm

class class-default

sticky-serverfarm App-sticky

policy-map multi-match policy-inbound

class App-81-cm

loadbalance vip inservice

loadbalance policy App-rewrite-pm

loadbalance vip icmp-reply active

loadbalance vip advertise active


class App-443-81-cm

loadbalance vip inservice

loadbalance policy App-sticky-443-81-pm

loadbalance vip icmp-reply active

loadbalance vip advertise active

appl-parameter http advanced-options http_param_map

ssl-proxy server ssl-App-443-81


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Gilles Dufour Wed, 07/29/2009 - 03:57
User Badges:
  • Cisco Employee,

with a redirect, the client will still first open a connection to port 81 and then receive a redirect to go to port 443.

So, it is better to use a rewrite so that the client receives the correct destination immediately and does not attempt a connection to port 81.

Thus better performance.


Syed Iftekhar Ahmed Wed, 07/29/2009 - 16:55
User Badges:
  • Blue, 1500 points or more

If you are offloading on ACE and on the backend

real servers are not ssl aware (sends URL with http://) then with

following sample config you can instruct ACE to rewrite such urls (http->https)

class-map match-all VIP-443

match virtual-address x.x.x.x tcp eq https

action-list type modify http HTTP2HTTPS-REWRITE

ssl url rewrite location www\.yoursite\.* sslport 443 clearport 80

policy-map type loadbalance first-match YOUR-POLICY

class class-default

serverfarm YOUR-SFARM


class VIP-443

loadbalance vip inservice

loadbalance policy YOUR-POLICY

loadbalance vip icmp-reply active

ssl-proxy server YOUR-SSL-SERVICE

You need Ace2.x+ on Ace module & 3.x+ on 4710 appliance for this feature.

Syed Iftekhar Ahmed

Syed Iftekhar Ahmed Mon, 08/10/2009 - 18:03
User Badges:
  • Blue, 1500 points or more


This command will enable ACE to rewrite the HTTP header such that http:// references in the "server responses" will be rewritten as https:// references.

It works on the real server responses not the client requests.

This command is used in scenarios where you are offloading SSL on ACE ( and ACE forwards the decrypted traffic to Server) and since server is not aware of the fact that the original request was https, it still sends the application links as http:// links. This could break the app as the client will request these resources using http (rather than https that it should use).

Syed Iftekhar Ahmed

axfalk Thu, 08/27/2009 - 15:43
User Badges:

How would this be different from a "run of the mill" SSL termination, where the ACE will send a packet to the backend WEB SERVER on port 80 and then re-encrypt the return packet and send it back to the client over the SSL connection? - we do not have to create an action-list in this case...



This Discussion