HTTP redirects

Unanswered Question
Oct 13th, 2009
User Badges:

Hi,


I want to configure http to https redirects on CCS 11501. Could someone guide me on how to implemet HTTPS redirect for a sub-directory.


Say I have www.xyz.com by default it goes to http, which is fine. But if someone types in http://www.xyz.com/login or http://www.xyz.com/login/secure/index.html then it should be redirected to httpS://www.xyz.com/login or http://www.xyz.com/login/secure/index.html. Basically anything in and under login directory should be HTTPS.


I have setup following but I am getting redirect loop


content DEFAULT

vip address 10.1.1.1

protocol tcp

port 80

url "/*"

add service Server1

add service Server2

advanced-balance arrowpoint-cookie

active


content SSL_RULE

protocol tcp

vip address 10.1.1.1

port 443

add service SSL_SERVICE

active


content LOGIN

vip address 10.1.1.1

protocol tcp

port 80

url "//www.xyz.com/login/*"

add service LOGIN_RD

active


==========================


service LOGIN_RD

ip address 2.2.2.2

keepalive type none

type redirect

domain https://www.xyz.com

active


service SSL_SERVICE

type ssl-accel

slot 2

add ssl-proxy-list SSL_LIST1

keepalive type none

active


I would greatly appreciate any help.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
jason.espino Tue, 10/13/2009 - 20:01
User Badges:
  • Bronze, 100 points or more

Your getting a redirect loop because you do not have an alternate port were the redirected traffic can be processed. The inbound request that contains "/login" will get redirected to the HTTPS equivalent however with your current configuration the connection will simply fall under the same redirect content rule and you will never resolve content correctly(redirect loop).


The following configuration will work:


content DEFAULT

vip address 10.1.1.1

protocol tcp

port 80

url "/*"

add service Server1

add service Server2

advanced-balance arrowpoint-cookie

active


content DEFAULT

vip address 10.1.1.1

protocol tcp

port 81

url "/*"

add service Server1

add service Server2

advanced-balance arrowpoint-cookie

active


content SSL_RULE

protocol tcp

vip address 10.1.1.1

port 443

add service SSL_SERVICE

active


content LOGIN

vip address 10.1.1.1

protocol tcp

port 80

url "/login*"

add service LOGIN_RD

active


==========================


service LOGIN_RD

type redirect

no prepend-http

keepalive type none

domain https://www.xyz.com

active


service SSL_SERVICE

type ssl-accel

slot 2

add ssl-proxy-list SSL_LIST1

keepalive type none

active



Update the ssl-proxy-list with an alternate port to send the decrypted traffic too.


ssl-server 1 cipher all-cipher-suites 10.1.1.1 81


I chose port 81 as the alternate decrypted port, however you can choose any other port. Please be sure that your servers are setup to accept traffic on that alternate port as well. If not, you can simply setup a NAT rule and hardset the destination port on the services to port 80. This will allow the CSS to re-write the destination port to port 80 when the decrypted traffic gets sent to the alternate port 81 content rule.


Hope this info helps.


- Jason

Muhammad Khan Wed, 10/14/2009 - 02:19
User Badges:

Hi jason,


Thank you for your reply. I have not tried your configuration yet but I am sure it will work. However, I do have another couple of questions:


1. Do I need to update my services (server1, Server2) to use port 81 i.e. currently they are configured as


service Server1

ip address 192.168.0.1

protocol tcp

port 80

keepalive http

uri "/"

active


do i need to update port 80 to 81 here?


2. How can i redirect port 81 to 80 on CSS if I do not want servers to listen on another port (mainly because servers are in production and I do not have access to servers and httpd will require restart). I would be more than happy to do my research and test things but unfortunately I do not have this option.


Thank you in advance.

jason.espino Wed, 10/14/2009 - 07:12
User Badges:
  • Bronze, 100 points or more

Hello Muhammad,


The service configuration is correct as is. The "port 80" command within the service configuration is a NAT rule. This will always instruct the CSS to re-write the destination port to port 80.


If you were to place your services under a port 81 content rule, port 25, or any other port content rule without hard setting the port on the services they would inherit the source and destination port defined within the content rule itself.


If you run the command "sho service Server1" on the CSS you will see the entire service configuration, and how it will operate. From here you will see what I am talking about.


With your current service configuration you should see something like the following:


Rule ( 192.168.0.1 ANY 80 )


The 1st "ANY" is the source port, which the service inherits from the content rule it is placed under, and the "80" is your NAT rule that instructs the CSS to re-write the destination port to port 80. If you removed the "port 80" command from your service configuration, and ran the "sho service Server1" command again you will see the following:


Rule ( 192.168.0.1 ANY ANY )



If you want to test to see if the CSS will re-write the destination port to port 80 you can. You can create a test content rule with any port. With this example I'll use SMTP port 25. Apply one of your existing services under this rule(Server1). If you have a Windows machine open up command prompt, create a socket connection to the VIP over port 25. 1st off you wouldn't see an SMTP HELO banner displayed after creating the socket connection to the VIP over port 25, and if you still want to test type the following within the window, GET "/". You should see HTML content within your command prompt window.


- Jason

jason.espino Wed, 10/14/2009 - 07:12
User Badges:
  • Bronze, 100 points or more

Hello Muhammad,


The service configuration is correct as is. The "port 80" command within the service configuration is a NAT rule. This will always instruct the CSS to re-write the destination port to port 80.


If you were to place your services under a port 81 content rule, port 25, or any other port content rule without hard setting the port on the services they would inherit the source and destination port defined within the content rule itself.


If you run the command "sho service Server1" on the CSS you will see the entire service configuration, and how it will operate. From here you will see what I am talking about.


With your current service configuration you should see something like the following:


Rule ( 192.168.0.1 ANY 80 )


The 1st "ANY" is the source port, which the service inherits from the content rule it is placed under, and the "80" is your NAT rule that instructs the CSS to re-write the destination port to port 80. If you removed the "port 80" command from your service configuration, and ran the "sho service Server1" command again you will see the following:


Rule ( 192.168.0.1 ANY ANY )



If you want to test to see if the CSS will re-write the destination port to port 80 you can. You can create a test content rule with any port. With this example I'll use SMTP port 25. Apply one of your existing services under this rule(Server1). If you have a Windows machine open up command prompt, create a socket connection to the VIP over port 25. 1st off you wouldn't see an SMTP HELO banner displayed after creating the socket connection to the VIP over port 25, and if you still want to test type the following within the window, GET "/". You should see HTML content within your command prompt window.


- Jason

Muhammad Khan Fri, 10/23/2009 - 13:29
User Badges:

Hi Jason,


Thank you for your help. I managed to get it all working with your help.


Rgds,

Muhammad Khan Wed, 11/04/2009 - 12:42
User Badges:

Hello,


Ok. It is all working three servers being load balanced for (www.xyz.com) and to 4th is a stand alone hosting forums.xyz.com.


I did not experience any issues myself but there are some external users complaining that sometimes when they browse to www.xyz.com they don't see anything with "Done" at browser bottom. When they refresh site loads as normal. (They did not have this issue before CCS)


I have enabled debug level logging and all I see are following frequent messages:

(xx.xx.xx.xx is the external user IP masked to protect the innocent :))


4 NOV 16:07:15 1/1 19608 FLOWMGR-7:

DoS SYN attack: xx.xx.xx.xx:1676->10.1.1.1:80

synCnt: 1, initSeq: 3718679720


4 NOV 16:07:51 1/1 19609 FLOWMGR-7:

DoS SYN attack: xx.xx.xx.xx:3119->10.1.1.1:81

synCnt: 1, initSeq: 342024065


4 NOV 16:07:51 1/1 19610 FLOWMGR-7:

DoS SYN attack: xx.xx.xx.xx:3122->10.1.1.1:81

synCnt: 1, initSeq: 344186757


4 NOV 16:07:51 1/1 19611 FLOWMGR-7:

DoS SYN attack: xx.xx.xx.xx:3128->10.1.1.1:81

synCnt: 1, initSeq: 356179851


4 NOV 16:07:52 1/1 19612 FLOWMGR-7:

DoS SYN attack: xx.xx.xx.xx:49196->10.1.1.1:81

synCnt: 1, initSeq: 421715861


I also see following messages (Not as frequent)


4 NOV 16:13:30 1/1 19669 WCC-7: Cookie seq number entry not found to retrieve value for flow 0x8fa0.


4 NOV 16:14:24 1/1 19674 WCC-7: Cookie seq number entry not found to retrieve value for flow 0x8fcd.


Also attached with is config and network layout doc.


Any suggestions please?




Attachment: 

Actions

This Discussion