ACE http/https redirect or rewrite

kam-hash00 · ‎07-20-2009

Greetings,

We have a setup that requires ACE http/https redirection or rewrite.

A client connects to a secured Web portal which has its ssl termination on the ACE.

The web portal will request from the client a redirection to another application. As the portal is unaware that the incoming client https request was terminated on the ACE,

the client receives the redirect request for an unsecured http URL rather than for the secured https URL.

In this case what would be best to use? ACE "rewrite" or "redirect"?

Will the following example config for ACE "redirect" be sufficent to implement this?

-------------------------------------------------------

ssl-proxy service ssl-App-443-81

key app1.test.com.key

cert app1.test.com.cert

rserver redirect App-secure-redirect

webhost-redirection https://app1.test.com/Go/

inservice

serverfarm redirect App-secure-redirect-sf

rserver App-secure-redirect

inservice

serverfarm host App-81-sf

probe TCP81

rserver proxy1 81

inservice

rserver proxy2 81

inservice

parameter-map type http http_param_map

header modify per-request

sticky http-cookie App-cookie App-sticky

cookie insert

replicate sticky

serverfarm App-81-sf

class-map match-any App-443-81-cm

2 match virtual-address 10.10.10.112 tcp eq https

class-map match-any App-81-cm

2 match virtual-address 10.10.10.112 tcp eq 81

class-map type http loadbalance App-secure-redirect-cm

match http url http://app1.test.com:81/Go/

policy-map type loadbalance http first-match App-rewrite-pm

class App-secure-redirect-cm

serverfarm App-secure-redirect-sf

policy-map type loadbalance http first-match App-sticky-443-81-pm

class class-default

sticky-serverfarm App-sticky

policy-map multi-match policy-inbound

class App-81-cm

loadbalance vip inservice

loadbalance policy App-rewrite-pm

loadbalance vip icmp-reply active

loadbalance vip advertise active

!

class App-443-81-cm

loadbalance vip inservice

loadbalance policy App-sticky-443-81-pm

loadbalance vip icmp-reply active

loadbalance vip advertise active

appl-parameter http advanced-options http_param_map

ssl-proxy server ssl-App-443-81

-------------------------------------------------------

Gilles Dufour · ‎07-29-2009

with a redirect, the client will still first open a connection to port 81 and then receive a redirect to go to port 443.

So, it is better to use a rewrite so that the client receives the correct destination immediately and does not attempt a connection to port 81.

Thus better performance.

Gilles.

jteixido · ‎07-29-2009

Could you please provide an example?

John...

Syed Iftekhar Ahmed · ‎07-29-2009

If you are offloading www.yoursite.com on ACE and on the backend

real servers are not ssl aware (sends URL with http://) then with

following sample config you can instruct ACE to rewrite such urls (http->https)

class-map match-all VIP-443

match virtual-address x.x.x.x tcp eq https

action-list type modify http HTTP2HTTPS-REWRITE

ssl url rewrite location www\.yoursite\.* sslport 443 clearport 80

policy-map type loadbalance first-match YOUR-POLICY

class class-default

serverfarm YOUR-SFARM

action HTTP2HTTPS-REWRITE

class VIP-443

loadbalance vip inservice

loadbalance policy YOUR-POLICY

loadbalance vip icmp-reply active

ssl-proxy server YOUR-SSL-SERVICE

You need Ace2.x+ on Ace module & 3.x+ on 4710 appliance for this feature.

Syed Iftekhar Ahmed

jteixido · ‎08-10-2009

So this command will rewrite an incoming port 80 connection to port 443?

What about the cookie and certificate?

John...

Syed Iftekhar Ahmed · ‎08-10-2009

Nope

This command will enable ACE to rewrite the HTTP header such that http:// references in the "server responses" will be rewritten as https:// references.

It works on the real server responses not the client requests.

This command is used in scenarios where you are offloading SSL on ACE ( and ACE forwards the decrypted traffic to Server) and since server is not aware of the fact that the original request was https, it still sends the application links as http:// links. This could break the app as the client will request these resources using http (rather than https that it should use).

Syed Iftekhar Ahmed

axfalk · ‎08-27-2009

How would this be different from a "run of the mill" SSL termination, where the ACE will send a packet to the backend WEB SERVER on port 80 and then re-encrypt the return packet and send it back to the client over the SSL connection? - we do not have to create an action-list in this case...

Thanks.