07-20-2009 08:39 AM
Greetings,
We have a setup that requires ACE http/https redirection or rewrite.
A client connects to a secured Web portal which has its ssl termination on the ACE.
The web portal will request from the client a redirection to another application. As the portal is unaware that the incoming client https request was terminated on the ACE,
the client receives the redirect request for an unsecured http URL rather than for the secured https URL.
In this case what would be best to use? ACE "rewrite" or "redirect"?
Will the following example config for ACE "redirect" be sufficent to implement this?
-------------------------------------------------------
ssl-proxy service ssl-App-443-81
key app1.test.com.key
cert app1.test.com.cert
rserver redirect App-secure-redirect
webhost-redirection https://app1.test.com/Go/
inservice
serverfarm redirect App-secure-redirect-sf
rserver App-secure-redirect
inservice
serverfarm host App-81-sf
probe TCP81
rserver proxy1 81
inservice
rserver proxy2 81
inservice
parameter-map type http http_param_map
header modify per-request
sticky http-cookie App-cookie App-sticky
cookie insert
replicate sticky
serverfarm App-81-sf
class-map match-any App-443-81-cm
2 match virtual-address 10.10.10.112 tcp eq https
class-map match-any App-81-cm
2 match virtual-address 10.10.10.112 tcp eq 81
class-map type http loadbalance App-secure-redirect-cm
match http url http://app1.test.com:81/Go/
policy-map type loadbalance http first-match App-rewrite-pm
class App-secure-redirect-cm
serverfarm App-secure-redirect-sf
policy-map type loadbalance http first-match App-sticky-443-81-pm
class class-default
sticky-serverfarm App-sticky
policy-map multi-match policy-inbound
class App-81-cm
loadbalance vip inservice
loadbalance policy App-rewrite-pm
loadbalance vip icmp-reply active
loadbalance vip advertise active
!
class App-443-81-cm
loadbalance vip inservice
loadbalance policy App-sticky-443-81-pm
loadbalance vip icmp-reply active
loadbalance vip advertise active
appl-parameter http advanced-options http_param_map
ssl-proxy server ssl-App-443-81
-------------------------------------------------------
07-29-2009 03:57 AM
with a redirect, the client will still first open a connection to port 81 and then receive a redirect to go to port 443.
So, it is better to use a rewrite so that the client receives the correct destination immediately and does not attempt a connection to port 81.
Thus better performance.
Gilles.
07-29-2009 11:52 AM
Could you please provide an example?
John...
07-29-2009 04:55 PM
If you are offloading www.yoursite.com on ACE and on the backend
real servers are not ssl aware (sends URL with http://) then with
following sample config you can instruct ACE to rewrite such urls (http->https)
class-map match-all VIP-443
match virtual-address x.x.x.x tcp eq https
action-list type modify http HTTP2HTTPS-REWRITE
ssl url rewrite location www\.yoursite\.* sslport 443 clearport 80
policy-map type loadbalance first-match YOUR-POLICY
class class-default
serverfarm YOUR-SFARM
action HTTP2HTTPS-REWRITE
class VIP-443
loadbalance vip inservice
loadbalance policy YOUR-POLICY
loadbalance vip icmp-reply active
ssl-proxy server YOUR-SSL-SERVICE
You need Ace2.x+ on Ace module & 3.x+ on 4710 appliance for this feature.
Syed Iftekhar Ahmed
08-10-2009 12:06 PM
So this command will rewrite an incoming port 80 connection to port 443?
What about the cookie and certificate?
John...
08-10-2009 06:03 PM
Nope
This command will enable ACE to rewrite the HTTP header such that http:// references in the "server responses" will be rewritten as https:// references.
It works on the real server responses not the client requests.
This command is used in scenarios where you are offloading SSL on ACE ( and ACE forwards the decrypted traffic to Server) and since server is not aware of the fact that the original request was https, it still sends the application links as http:// links. This could break the app as the client will request these resources using http (rather than https that it should use).
Syed Iftekhar Ahmed
08-27-2009 03:43 PM
How would this be different from a "run of the mill" SSL termination, where the ACE will send a packet to the backend WEB SERVER on port 80 and then re-encrypt the return packet and send it back to the client over the SSL connection? - we do not have to create an action-list in this case...
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide