02-25-2010 05:02 PM
My question-
Why the need for both the class-map on WWW and HTTPS on the same vip below?
Wouldnt the ACE see the incoming port 80 request and redirect it to 443 back to the
client browser with the action-list modify statement in the config and the action url rewrite in the policy statement
of the WEB-POLICY?
Yet is see a redirect statement going to https://%h/%p under the redir serverfarm
does this make sense?
action-list type modify http urlrewrite
ssl url rewrite location "*"
class-map match-all WEB-VIP
2 match virtual-address 172.20.100.104 tcp eq https
class-map match-all WEB-redir
2 match virtual-address 172.20.100.104 tcp eq www
policy-map type loadbalance first-match WEB-POLICY
class class-default
sticky-serverfarm WEB_cookie
action urlrewrite
policy-map type loadbalance first-match WEB-redir
class class-default
serverfarm WEB-redir
class WEB-VIP
loadbalance vip inservice
loadbalance policy WEB-POLICY
loadbalance vip icmp-reply
ssl-proxy server WEB-SSL-PROXY
class WEB-redir
loadbalance vip inservice
loadbalance policy WEB-redir
rserver redirect WEB-redir
webhost-redirection https://%h/%p
inservice
serverfarm redirect WEB-redir
rserver WEB-redir
inservice
-
Solved! Go to Solution.
02-28-2010 09:14 PM
Hello,
Your understanding of how the configuration works is correct.
To answer your questions:
"Now ..is it best practice to have both these configs to make sure that all data is always https?"
I would say so, as the redirect will ALWAYS send the client to an HTTPS site, and the url rewrite will ensure the connection stays on HTTPS.
"why would you have one without the other?"
This question I can not answer. I'm not sure if the person who owns the site/domain wanted the clients connection to be HTTPS only for security reasons, application reasons, or just personal preference.
"I can only imagine you wouldnt have the rserver redirect https%h%p if you were not allowing anything coming in on port 80-
since all inbound traffic would be 443?"
Even if there was no HTTP content being served the rserver redirects pupose would ensure the client's connection is redirected to an HTTPS URL that can be processed by the web servers, rather then have the client's connection simply time out on the browser if there was no redirect or port 80 configuration in place.
"however even if you only had 443 open........u would still use the url rewrite because the backend serve may send something back clear text?"
That is a possiblity. The url rewrite would simply ensure the clients connection remains on HTTPS.
Regards,
Jason
02-25-2010 09:09 PM
Hello,
With the configuration you have posted there is a need for both class-maps, action-list, and redirection.
The way this configuration will work is any client attempting to establish an HTTP connection the ACE will preserve the URL, but redirect them to the HTTPS equivalent. ex: http://www.domain.com/admin -----> https://www.domain.com/admin
This configuration would be used for the inbound HTTP connections:
rserver redirect WEB-redir
webhost-redirection https://%h/%p
inservice
serverfarm redirect WEB-redir
rserver WEB-redir
inservice
class-map match-all WEB-VIP
2 match virtual-address 172.20.100.104 tcp eq https
policy-map type loadbalance first-match WEB-redir
class class-default
serverfarm WEB-redir
class WEB-redir
loadbalance vip inservice
loadbalance policy WEB-redir
Once the client's connection is redirected to HTTPS, their connection will use this part of the configuration:
action-list type modify http urlrewrite
ssl url rewrite location "*"
class-map match-all WEB-VIP
2 match virtual-address 172.20.100.104 tcp eq https
policy-map type loadbalance first-match WEB-POLICY
class class-default
sticky-serverfarm WEB_cookie
action urlrewrite
class WEB-VIP
loadbalance vip inservice
loadbalance policy WEB-POLICY
loadbalance vip icmp-reply
ssl-proxy server WEB-SSL-PROXY
The action-list will come into play the moment the web server delivering content for the client attempts to send the client's connection BACK to an HTTP URL. The ACE will re-write the location URL from HTTP to HTTPS to allow the client's connection to stay on an HTTPS page.
Regards,
Jason
02-26-2010 10:40 PM
Thx for the explanation-
correct me if im wrong
so if the outside user is coming in on http-the rserver redirect will come into play when the ACE makes it go https:---per my config-
now the url redirect is into play coming in from the server......if the server for some reason sends url info http-the ACE will rewrite it as https-
Now ..is it best practice to have both these configs to make sure that all data is always https?
why would you have one without the other?
I can only imagine you wouldnt have the rserver redirect https%h%p if you were not allowing anything coming in on port 80-
since all inbound traffic would be 443?
however even if you only had 443 open........u would still use the url rewrite because the backend serve may send something back clear text?
am i right in my conclusion?
02-28-2010 09:14 PM
Hello,
Your understanding of how the configuration works is correct.
To answer your questions:
"Now ..is it best practice to have both these configs to make sure that all data is always https?"
I would say so, as the redirect will ALWAYS send the client to an HTTPS site, and the url rewrite will ensure the connection stays on HTTPS.
"why would you have one without the other?"
This question I can not answer. I'm not sure if the person who owns the site/domain wanted the clients connection to be HTTPS only for security reasons, application reasons, or just personal preference.
"I can only imagine you wouldnt have the rserver redirect https%h%p if you were not allowing anything coming in on port 80-
since all inbound traffic would be 443?"
Even if there was no HTTP content being served the rserver redirects pupose would ensure the client's connection is redirected to an HTTPS URL that can be processed by the web servers, rather then have the client's connection simply time out on the browser if there was no redirect or port 80 configuration in place.
"however even if you only had 443 open........u would still use the url rewrite because the backend serve may send something back clear text?"
That is a possiblity. The url rewrite would simply ensure the clients connection remains on HTTPS.
Regards,
Jason
03-02-2010 07:50 AM
thanks for the explanation
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: