Redirecting all http traffic to https when the ACE is performing SSL termination (for accessibility purposes)

Answered Question
Feb 25th, 2010

Hi,


I have an ACE fronting a two Apache webserver serverfarm and performing SSL termination for the website served by the serverfarm. The entire website needs to be secure, i.e. every page needs to be https as opposed to just sub-sections or specific URLs that need to be https.


For accessibility purposes I'd like to allow inbound port 80 for the sole purpose of re-writing/re-directing the request to https, i.e. so that the page is accessible without a user having to specify the https:// prefix in a browser address bar and likewise results from search engines working (which I believe don't include the http/https prefix).


Typically we use the ACE just for load-balancing and SSL termination with web logic style functionality (re-writes/re-directs) performed by the http server tier below (mainly because of the distinction between the skills of the support teams involved - Networks vs Applications). The web app team that looks after the Apache servers has suggested having each server listening on two ports and having the ACE forward native http traffic to the Apache(s) on one port and https traffic that is terminated by the ACE and then forwarded on as http on another. The instance of Apache that plain (non-SSL terminated) http traffic is sent to could then just have a rule to forward everything to https (so a user couldn't even deliberately try and remove the 's' from https in the address bar).


My question is whether the ACE can do the same thing negating the need for the added Apache complexity?


Can the ACE simply send a re-direction back to the user everytime the http VIP is hit just changing the URL requested to https so it doesn't even have to hit the Apache server?


thanks in advance for any advice


regards


Matthew

Correct Answer by Sean Merrow about 7 years 2 hours ago

Hi Matthew,


Yes, the ACE can do what you are looking for, and I totally agree than it would reduce a lot of added complexity from the servers.  Below is an example of HTTP-to-HTTPS Redirect w/SSL Termination & HTTP-to-HTTPS Header Re-write.  The header re-write is cool since the backend servers are listening on port 80 (or some clear-text port), if they send a redirect for some reason, the ACE will even re-write the Location header of the 301 or 302 redirect to use HTTPS.


With the example config below, clients that connect to the VIP on port 80 (HTTP) will be redirected to the same FQDN and path using port 443 (HTTPS).  Clients will then open an HTTPS session to the ACE where the SSL session will be terminated and load balanced to the real servers in clear-text on port 80 (HTTP).  The HTTP-to-HTTPS redirect in this example is a 301 redirect (permanent).  The 301 can be either removed or changed to 302 to revert to the default of a temporary redirect.


If your ACE is running A2 software or higher for the module, or A3 software or higher for the 4700 appliance, then you can also include the necessary configuration for HTTP-to-HTTPS redirect location header re-write.



HTTP-to-HTTPS Redirect Configuration


SSL Termination Configuration


HTTP-to-HTTPS Redirect Location Header Re-Write




Example Config



access-list ANYONE line 10 extended permit ip any any



probe http HTTP-KEEPALIVE


  interval 5


  faildetect 3


  passdetect interval 5


  passdetect count 2


  request method get url /keepalive.html


expect status 200 200



rserver redirect REDIRECT-TO-HTTPS


webhost-redirection https://%h%p 301


inservice


rserver host SERVER_01


  ip address 10.10.10.20


  inservice


rserver host SERVER_02


  ip address 10.10.10.21


  inservice



action-list type modify http REWRITE


  ssl url rewrite location www\.cisco\.* sslport 443 clearport 80



serverfarm redirect REDIRECT-SERVERFARM


rserver REDIRECT-TO-HTTPS


inservice


serverfarm host REAL_SERVERS


  probe HTTP-KEEPALIVE


  rserver SERVER_01 80


    inservice


  rserver SERVER_02 80


    inservice



ssl-proxy service SSL_SERVICE


  key mykey.pem


  cert mycert.pem



class-map match-all HTTP-VIP


  2 match virtual-address 172.21.162.178 tcp eq http


class-map match-all HTTPS-VIP


  2 match virtual-address 172.21.162.178 tcp eq https



class-map type management match-any MANAGEMENT


  2 match protocol icmp any


  3 match protocol telnet any



policy-map type management first-match REMOTE_MGT


  class MANAGEMENT


    permit


policy-map type loadbalance first-match REDIRECT-PM


  class class-default


    serverfarm REDIRECT-SERVERFARM


policy-map type loadbalance first-match LOAD-BALANCE-PM


  class class-default


    serverfarm REAL-SERVERS


    action REWRITE



policy-map multi-match WEB-TRAFFIC


  class HTTP-VIP


    loadbalance vip inservice


    loadbalance policy REDIRECT-PM


  class HTTPS-VIP


    loadbalance vip inservice


    loadbalance policy LOAD-BALANCE-PM


    loadbalance vip icmp-reply active


    ssl-proxy server SSL_SERVICE



interface vlan 200


  ip address 172.21.162.10 255.255.255.0


  access-group input ANYONE


  service-policy input REMOTE_MGT


  service-policy input WEB-TRAFFIC


  no shutdown


interface vlan 201


  ip address 10.10.10.1 255.255.0.0


  no shutdown


ip

route 0.0.0.0 0.0.0.0 172.21/162.1


You can find more information on SSL termination here, and more information on the redirects here.


Hope this helps,

Sean

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Sean Merrow Thu, 02/25/2010 - 05:23

Hi Matthew,


Yes, the ACE can do what you are looking for, and I totally agree than it would reduce a lot of added complexity from the servers.  Below is an example of HTTP-to-HTTPS Redirect w/SSL Termination & HTTP-to-HTTPS Header Re-write.  The header re-write is cool since the backend servers are listening on port 80 (or some clear-text port), if they send a redirect for some reason, the ACE will even re-write the Location header of the 301 or 302 redirect to use HTTPS.


With the example config below, clients that connect to the VIP on port 80 (HTTP) will be redirected to the same FQDN and path using port 443 (HTTPS).  Clients will then open an HTTPS session to the ACE where the SSL session will be terminated and load balanced to the real servers in clear-text on port 80 (HTTP).  The HTTP-to-HTTPS redirect in this example is a 301 redirect (permanent).  The 301 can be either removed or changed to 302 to revert to the default of a temporary redirect.


If your ACE is running A2 software or higher for the module, or A3 software or higher for the 4700 appliance, then you can also include the necessary configuration for HTTP-to-HTTPS redirect location header re-write.



HTTP-to-HTTPS Redirect Configuration


SSL Termination Configuration


HTTP-to-HTTPS Redirect Location Header Re-Write




Example Config



access-list ANYONE line 10 extended permit ip any any



probe http HTTP-KEEPALIVE


  interval 5


  faildetect 3


  passdetect interval 5


  passdetect count 2


  request method get url /keepalive.html


expect status 200 200



rserver redirect REDIRECT-TO-HTTPS


webhost-redirection https://%h%p 301


inservice


rserver host SERVER_01


  ip address 10.10.10.20


  inservice


rserver host SERVER_02


  ip address 10.10.10.21


  inservice



action-list type modify http REWRITE


  ssl url rewrite location www\.cisco\.* sslport 443 clearport 80



serverfarm redirect REDIRECT-SERVERFARM


rserver REDIRECT-TO-HTTPS


inservice


serverfarm host REAL_SERVERS


  probe HTTP-KEEPALIVE


  rserver SERVER_01 80


    inservice


  rserver SERVER_02 80


    inservice



ssl-proxy service SSL_SERVICE


  key mykey.pem


  cert mycert.pem



class-map match-all HTTP-VIP


  2 match virtual-address 172.21.162.178 tcp eq http


class-map match-all HTTPS-VIP


  2 match virtual-address 172.21.162.178 tcp eq https



class-map type management match-any MANAGEMENT


  2 match protocol icmp any


  3 match protocol telnet any



policy-map type management first-match REMOTE_MGT


  class MANAGEMENT


    permit


policy-map type loadbalance first-match REDIRECT-PM


  class class-default


    serverfarm REDIRECT-SERVERFARM


policy-map type loadbalance first-match LOAD-BALANCE-PM


  class class-default


    serverfarm REAL-SERVERS


    action REWRITE



policy-map multi-match WEB-TRAFFIC


  class HTTP-VIP


    loadbalance vip inservice


    loadbalance policy REDIRECT-PM


  class HTTPS-VIP


    loadbalance vip inservice


    loadbalance policy LOAD-BALANCE-PM


    loadbalance vip icmp-reply active


    ssl-proxy server SSL_SERVICE



interface vlan 200


  ip address 172.21.162.10 255.255.255.0


  access-group input ANYONE


  service-policy input REMOTE_MGT


  service-policy input WEB-TRAFFIC


  no shutdown


interface vlan 201


  ip address 10.10.10.1 255.255.0.0


  no shutdown


ip

route 0.0.0.0 0.0.0.0 172.21/162.1


You can find more information on SSL termination here, and more information on the redirects here.


Hope this helps,

Sean

bgfl-tech Thu, 02/25/2010 - 09:02

Hi Sean,


Thanks for such a detailed answer. Exactly what I was looking for.


Many thanks


Matthew

Actions

This Discussion