ACE-What is the difference between these two redirects?

Answered Question
Feb 25th, 2010
User Badges:

My question-


Why the need for both the class-map on WWW and HTTPS on the same vip below?


Wouldnt the ACE see the incoming port 80 request and redirect it to 443 back to the

client browser with the action-list modify statement in the config and the action url rewrite in the policy statement

of the WEB-POLICY?


Yet is see a redirect statement going to https://%h/%p under the redir serverfarm


does this make sense?









action-list type modify http urlrewrite
  ssl url rewrite location "*"


class-map match-all WEB-VIP
  2 match virtual-address 172.20.100.104 tcp eq https


class-map match-all  WEB-redir
  2 match virtual-address 172.20.100.104 tcp eq www




policy-map type loadbalance first-match WEB-POLICY
  class class-default
    sticky-serverfarm WEB_cookie
    action urlrewrite


policy-map type loadbalance first-match WEB-redir
  class class-default
    serverfarm WEB-redir


class WEB-VIP
  loadbalance vip inservice
  loadbalance policy WEB-POLICY
  loadbalance vip icmp-reply
  ssl-proxy server WEB-SSL-PROXY
class WEB-redir
  loadbalance vip inservice
  loadbalance policy WEB-redir


rserver redirect WEB-redir
  webhost-redirection https://%h/%p
  inservice


serverfarm redirect WEB-redir
  rserver WEB-redir
    inservice

-

Correct Answer by jason.espino about 7 years 1 month ago

Hello,


Your understanding of how the configuration works is correct.



To answer your questions:


"Now ..is it best practice to have both these configs to make sure  that all data is always https?"


I would say so, as the redirect will ALWAYS send the client to an HTTPS site, and the url rewrite will ensure the connection stays on HTTPS.




"why would you have one without the other?"


This question I can not answer. I'm not sure if the person who owns the site/domain wanted the clients connection to be HTTPS only for security reasons, application reasons, or just personal preference.




"I can only  imagine you wouldnt have the rserver redirect https%h%p if you were not  allowing anything coming in on port 80-

since all inbound traffic  would be 443?"


Even if there was no HTTP content being served the rserver redirects pupose would ensure the client's connection is redirected to an HTTPS URL that can be processed by the web servers, rather then have the client's connection simply time out on the browser if there was no redirect or port 80 configuration in place.




"however  even if you only had 443 open........u would still use the url rewrite  because the backend serve may send something back clear text?"


That is a possiblity. The url rewrite would simply ensure the clients connection remains on HTTPS.


Regards,


Jason

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
jason.espino Thu, 02/25/2010 - 21:09
User Badges:
  • Bronze, 100 points or more

Hello,


With the configuration you have posted there is a need for both class-maps, action-list, and redirection.


The way this configuration will work is any client attempting to establish an HTTP connection the ACE will preserve the URL, but redirect them to the HTTPS equivalent. ex: http://www.domain.com/admin -----> https://www.domain.com/admin


This configuration would be used for the inbound HTTP connections:


rserver redirect WEB-redir
   webhost-redirection https://%h/%p
   inservice


serverfarm redirect WEB-redir

  rserver WEB-redir

    inservice


class-map match-all WEB-VIP
  2 match virtual-address 172.20.100.104 tcp eq https


policy-map type loadbalance first-match WEB-redir
  class class-default
    serverfarm WEB-redir


class WEB-redir
  loadbalance vip inservice
  loadbalance policy WEB-redir





Once the client's connection is redirected to HTTPS, their connection will use this part of the configuration:



action-list type modify http urlrewrite
  ssl url rewrite location "*"


class-map match-all WEB-VIP
  2 match virtual-address 172.20.100.104 tcp eq https


policy-map type loadbalance first-match WEB-POLICY
  class class-default
    sticky-serverfarm WEB_cookie
    action urlrewrite


class WEB-VIP
  loadbalance vip inservice
  loadbalance policy WEB-POLICY
  loadbalance vip icmp-reply
  ssl-proxy server WEB-SSL-PROXY



The action-list will come into play the moment the web server delivering content for the client attempts to send the client's connection BACK to an HTTP URL.  The ACE will re-write the location URL from HTTP to HTTPS to allow the client's connection to stay on an HTTPS page.


Regards,


Jason

nygenxny123 Fri, 02/26/2010 - 22:40
User Badges:

Thx for the explanation-


correct me if im wrong


so if the outside user is coming in on http-the rserver redirect will come into play when the ACE makes it go https:---per my config-


now the url redirect is into play coming in from the server......if the server for some reason sends url info http-the ACE will rewrite it as https-




Now ..is it best practice to have both these configs to make sure that all data is always https?


why would you have one without the other?


I can only imagine you wouldnt have the rserver redirect https%h%p if you were not allowing anything coming in on port 80-

since all inbound traffic would be 443?


however even if you only had 443 open........u would still use the url rewrite because the backend serve may send something back clear text?


am i right in my conclusion?

Correct Answer
jason.espino Sun, 02/28/2010 - 21:14
User Badges:
  • Bronze, 100 points or more

Hello,


Your understanding of how the configuration works is correct.



To answer your questions:


"Now ..is it best practice to have both these configs to make sure  that all data is always https?"


I would say so, as the redirect will ALWAYS send the client to an HTTPS site, and the url rewrite will ensure the connection stays on HTTPS.




"why would you have one without the other?"


This question I can not answer. I'm not sure if the person who owns the site/domain wanted the clients connection to be HTTPS only for security reasons, application reasons, or just personal preference.




"I can only  imagine you wouldnt have the rserver redirect https%h%p if you were not  allowing anything coming in on port 80-

since all inbound traffic  would be 443?"


Even if there was no HTTP content being served the rserver redirects pupose would ensure the client's connection is redirected to an HTTPS URL that can be processed by the web servers, rather then have the client's connection simply time out on the browser if there was no redirect or port 80 configuration in place.




"however  even if you only had 443 open........u would still use the url rewrite  because the backend serve may send something back clear text?"


That is a possiblity. The url rewrite would simply ensure the clients connection remains on HTTPS.


Regards,


Jason

Actions

This Discussion