Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2170
Views
0
Helpful
4
Replies

ACE-What is the difference between these two redirects?

Go to solution
nygenxny123
Level 1
Level 1

‎02-25-2010 05:02 PM

My question-

Why the need for both the class-map on WWW and HTTPS on the same vip below?

Wouldnt the ACE see the incoming port 80 request and redirect it to 443 back to the

client browser with the action-list modify statement in the config and the action url rewrite in the policy statement

of the WEB-POLICY?

Yet is see a redirect statement going to https://%h/%p under the redir serverfarm

does this make sense?

action-list type modify http urlrewrite
  ssl url rewrite location "*"

class-map match-all WEB-VIP
  2 match virtual-address 172.20.100.104 tcp eq https

class-map match-all  WEB-redir
  2 match virtual-address 172.20.100.104 tcp eq www

policy-map type loadbalance first-match WEB-POLICY
  class class-default
    sticky-serverfarm WEB_cookie
    action urlrewrite

policy-map type loadbalance first-match WEB-redir
  class class-default
    serverfarm WEB-redir

class WEB-VIP
  loadbalance vip inservice
  loadbalance policy WEB-POLICY
  loadbalance vip icmp-reply
  ssl-proxy server WEB-SSL-PROXY
class WEB-redir
  loadbalance vip inservice
  loadbalance policy WEB-redir

rserver redirect WEB-redir
  webhost-redirection https://%h/%p
  inservice

serverfarm redirect WEB-redir
  rserver WEB-redir
    inservice

-

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jason.espino
Level 1
Level 1
In response to nygenxny123

‎02-28-2010 09:14 PM

Hello,

Your understanding of how the configuration works is correct.

To answer your questions:

"Now ..is it best practice to have both these configs to make sure  that all data is always https?"

I would say so, as the redirect will ALWAYS send the client to an HTTPS site, and the url rewrite will ensure the connection stays on HTTPS.

"why would you have one without the other?"

This question I can not answer. I'm not sure if the person who owns the site/domain wanted the clients connection to be HTTPS only for security reasons, application reasons, or just personal preference.

"I can only  imagine you wouldnt have the rserver redirect https%h%p if you were not  allowing anything coming in on port 80-

since all inbound traffic  would be 443?"

Even if there was no HTTP content being served the rserver redirects pupose would ensure the client's connection is redirected to an HTTPS URL that can be processed by the web servers, rather then have the client's connection simply time out on the browser if there was no redirect or port 80 configuration in place.

"however  even if you only had 443 open........u would still use the url rewrite  because the backend serve may send something back clear text?"

That is a possiblity. The url rewrite would simply ensure the clients connection remains on HTTPS.

Regards,

Jason

View solution in original post

0 Helpful
4 Replies 4

Go to solution
jason.espino
Level 1
Level 1

‎02-25-2010 09:09 PM

Hello,

With the configuration you have posted there is a need for both class-maps, action-list, and redirection.

The way this configuration will work is any client attempting to establish an HTTP connection the ACE will preserve the URL, but redirect them to the HTTPS equivalent. ex: http://www.domain.com/admin -----> https://www.domain.com/admin

This configuration would be used for the inbound HTTP connections:

rserver redirect WEB-redir
   webhost-redirection https://%h/%p
   inservice

serverfarm redirect WEB-redir

  rserver WEB-redir

    inservice

class-map match-all WEB-VIP
  2 match virtual-address 172.20.100.104 tcp eq https

policy-map type loadbalance first-match WEB-redir
  class class-default
    serverfarm WEB-redir

class WEB-redir
  loadbalance vip inservice
  loadbalance policy WEB-redir

Once the client's connection is redirected to HTTPS, their connection will use this part of the configuration:


action-list type modify http urlrewrite
  ssl url rewrite location "*"


class-map match-all WEB-VIP
  2 match virtual-address 172.20.100.104 tcp eq https

policy-map type loadbalance first-match WEB-POLICY
  class class-default
    sticky-serverfarm WEB_cookie
    action urlrewrite

class WEB-VIP
  loadbalance vip inservice
  loadbalance policy WEB-POLICY
  loadbalance vip icmp-reply
  ssl-proxy server WEB-SSL-PROXY

The action-list will come into play the moment the web server delivering content for the client attempts to send the client's connection BACK to an HTTP URL.  The ACE will re-write the location URL from HTTP to HTTPS to allow the client's connection to stay on an HTTPS page.

Regards,

Jason

0 Helpful

Go to solution
nygenxny123
Level 1
Level 1
In response to jason.espino

‎02-26-2010 10:40 PM

Thx for the explanation-

correct me if im wrong

so if the outside user is coming in on http-the rserver redirect will come into play when the ACE makes it go https:---per my config-

now the url redirect is into play coming in from the server......if the server for some reason sends url info http-the ACE will rewrite it as https-

Now ..is it best practice to have both these configs to make sure that all data is always https?

why would you have one without the other?

I can only imagine you wouldnt have the rserver redirect https%h%p if you were not allowing anything coming in on port 80-

since all inbound traffic would be 443?

however even if you only had 443 open........u would still use the url rewrite because the backend serve may send something back clear text?

am i right in my conclusion?

0 Helpful

Go to solution
jason.espino
Level 1
Level 1
In response to nygenxny123

‎02-28-2010 09:14 PM

Hello,

Your understanding of how the configuration works is correct.

To answer your questions:

"Now ..is it best practice to have both these configs to make sure  that all data is always https?"

I would say so, as the redirect will ALWAYS send the client to an HTTPS site, and the url rewrite will ensure the connection stays on HTTPS.

"why would you have one without the other?"

This question I can not answer. I'm not sure if the person who owns the site/domain wanted the clients connection to be HTTPS only for security reasons, application reasons, or just personal preference.

"I can only  imagine you wouldnt have the rserver redirect https%h%p if you were not  allowing anything coming in on port 80-

since all inbound traffic  would be 443?"

Even if there was no HTTP content being served the rserver redirects pupose would ensure the client's connection is redirected to an HTTPS URL that can be processed by the web servers, rather then have the client's connection simply time out on the browser if there was no redirect or port 80 configuration in place.

"however  even if you only had 443 open........u would still use the url rewrite  because the backend serve may send something back clear text?"

That is a possiblity. The url rewrite would simply ensure the clients connection remains on HTTPS.

Regards,

Jason

0 Helpful

Go to solution
nygenxny123
Level 1
Level 1
In response to jason.espino

‎03-02-2010 07:50 AM

thanks for the explanation

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents