cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
921
Views
0
Helpful
3
Replies

Can ACE rewrite https request with a redirect link inside a web page within a single SSL session?

geraldjacksontx
Level 1
Level 1

I have a SSL load balance VIP/Class map which works fine. 

The problem is that I have a developers of the web apps want to have a link in xml(tom cat app) to a map app(different port same box).  It is is behind multiple firewalls and can't get permission to open more ports. So can I take the redirection in the web page to an serverfarm and keep it in the SSL connection.?  I have open a ticket with Cisco, but they have been no help.

This my config with everthing cut out, but the redirect.

action-list type modify http HTTP2HTTPS-REWRITE

  ssl url rewrite location ".*"

probe http WEB

  interval 5

  faildetect 2

  passdetect interval 15

  passdetect count 2

  expect status 200 302

parameter-map type ssl SSL_PARAMETER_MAP

  cipher RSA_WITH_3DES_EDE_CBC_SHA priority 8

  cipher RSA_WITH_AES_128_CBC_SHA priority 9

  cipher RSA_WITH_AES_256_CBC_SHA priority 10

parameter-map type connection TCP_IDLE_TIMEOUT

  set timeout inactivity 2700

rserver host lnxsv1

  description lnxsv1

  ip address  1.1.1.230

  inservice

ssl-proxy service SSL_SVC_WEB

  key my.key.pem

  cert my.cert.pem

serverfarm host SF_WEB_80

  description SF_WEB_80 Server Farm

  predictor leastconns

  probe WEB

  rserver lnxsv1 80

    inservice

 

class-map match-all CM_WEB_443

  2 match virtual-address 192.168.200.123 tcp eq https

class-map match-all CM_WEB_80

  2 match virtual-address 192.168.200.23 tcp eq www

class-map type management match-any REMOTE_ACCESS

  description Remote access traffic match

  201 match protocol telnet any

  202 match protocol ssh any

  203 match protocol icmp any

  204 match protocol http any

  205 match protocol https any

  206 match protocol snmp any

policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY

  class REMOTE_ACCESS

    permit

policy-map type loadbalance first-match PM_WEB_80

  class class-default

  serverfarm SF_WEB_80

  action HTTP2HTTPS-REWRITE

policy-map multi-match PM_MM_WEB

  class CM_WEB_80

    loadbalance vip inservice

    loadbalance policy PM_WEB_80

    loadbalance vip icmp-reply

    nat dynamic 10 vlan 604

    connection advanced-options TCP_IDLE_TIMEOUT

 

  class CM_WEB_443

    loadbalance vip inservice

    loadbalance policy PM_WEB_80

    loadbalance vip icmp-reply

    nat dynamic 10 vlan 604

    ssl-proxy server SSL_SVC_WEB

    connection advanced-options TCP_IDLE_TIMEOUT

 

 

timeout xlate 60

interface vlan 604

  description Client Side Connectivty

  ip address 192.168.200.242 255.255.255.0

  alias 192.168.200.8 255.255.255.0

  peer ip address 192.168.200.243 255.255.255.0

  no normalization

  access-group input ALL

  access-group output ALL

 

  nat-pool 10 192.168.202.33 192.168.202.64 netmask 255.255.252.0

  service-policy input REMOTE_MGMT_ALLOW_POLICY

  service-policy input PM_MM_WEB

 

1 Accepted Solution

Accepted Solutions

The problem is that http://xxxxxxx:7779 will tell the browser to open a different connection to xxxxxxxxx port 7779.

If I understand correctly, this is what you want to prevent because this would require the firewall to open a hole for port 7779.

ACE can't modify the server response.

There is no other solution than to rewrite those links on the servers and remove port 7779.

On the ACE you can then catch the link (without port 7779) when the request comes in, and identify that this connection needs to be sent to port 7779.

That is possible.

You just need a class-map type loadbalance HTTP and a match url regex.

Then under your policy type loadbalance, instead of a simple class-default, you have your match url class sending traffic to a serverfarm using port 7779 and for the rest you use a serverfarm with port 80.

Gilles.

View solution in original post

3 Replies 3

Gilles Dufour
Cisco Employee
Cisco Employee

The backend and the frontend are separated.

So, you can receive a request in SSL (frontend) and send it to a server in cleartext on the backend.

You can go to different servers, different ports.

All you need to do is catch the request in a class-map type http loadbalance ...

But, you can't change the URL inside the request.

So, without more details about what you need exactly, we can't give you more info.

Gilles.

So what the developers want is:

Client Web Browser --> Firewall --> Firewall -->router ACL -->Firewall ---> ACE VIP with SSL termination-------> Load Balanced to port 80 in the serverfarm.

Works great.

Now they would like to add a link on the web page that is being load balanced.  The like is just another port on the same servers.  Let say :7779

So the developer has a link that reads:

var baseURL = http://sameserver:7779/mapviewer

Can I :

Client Web Browser -> Firewall -> Firewall ->router ACL ->Firewall -> ACE VIP with SSL termination-> Read the request send to:

                                                                                                                                                  ->Load Balanced to port 80 in the serverfarm

                                                                                                                                                  ->If it equals: http://sameserver:7779/mapviewer

The problem is that http://xxxxxxx:7779 will tell the browser to open a different connection to xxxxxxxxx port 7779.

If I understand correctly, this is what you want to prevent because this would require the firewall to open a hole for port 7779.

ACE can't modify the server response.

There is no other solution than to rewrite those links on the servers and remove port 7779.

On the ACE you can then catch the link (without port 7779) when the request comes in, and identify that this connection needs to be sent to port 7779.

That is possible.

You just need a class-map type loadbalance HTTP and a match url regex.

Then under your policy type loadbalance, instead of a simple class-default, you have your match url class sending traffic to a serverfarm using port 7779 and for the rest you use a serverfarm with port 80.

Gilles.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: