CSS 11503 http redirect / rewrite to https ssl with wildcard cert

Answered Question
Jul 15th, 2010
User Badges:

I am trying to get all my traffic  for http VIP send to https on the same VIP. I have managed to do this  with with a single a record but my problem is that I have a wildcard ssl  and want to be able to direct incoming http to https and keep the  address information.


i.e.   http://test.domain.com to go to https://test.domain.com and

       http://newtest.domain.com to go to https://newtest.domain.com


I have  around 30 subdomains and do not want to have to write rules for each  subdomain to be redirected.



My configuration looks like this at the moment and any  light would be greatly appreciated



  ssl associate rsakey domainkkey  domainrsakey.pem
  ssl associate cert domaincert domaincert.crt



  ip  route 0.0.0.0 0.0.0.0 192.168.33.1 1


!************************* INTERFACE  *************************
interface  3/1
  bridge vlan 33


!**************************  CIRCUIT **************************
circuit VLAN1


  ip address  192.168.35.1 255.255.255.0


circuit VLAN33


  ip address 192.168.33.2  255.255.255.0


!***********************  SSL PROXY LIST ***********************
ssl-proxy-list ssl-proxy
   ssl-server 1
  ssl-server 1 vip address 192.168.33.102
   ssl-server 1 rsacert domaincert
  ssl-server 1 rsakey domainkey
   ssl-server 1 cipher rsa-with-rc4-128-md5 192.168.35.5 80
   ssl-server 1 urlrewrite 10 *.domain.com sslport 443 clearport 80
   active


!**************************  SERVICE **************************
service EUHS1WEB20
  protocol  tcp
  port 80
  ip address 192.168.35.20
  keepalive type  none
  active


service EUHS1WEB21
  protocol tcp
  port 80
   ip address 192.168.35.21
  keepalive type tcp
  active


service  SSL-MYDOMAIN
  type ssl-accel
  slot 2
  keepalive type none
   add ssl-proxy-list ssl-proxy
  active


service SSL-REWRITE
  keepalive  type none
  type redirect
  no prepend-http
   redirect-string "https://*"
  active




!***************************  OWNER ***************************


owner domain.com


  content decrypt-http
     vip address 192.168.35.5
    protocol tcp
    port 80
     add service EUHS1WEB23
    active


  content ssl-rule
    vip  address 192.168.33.102
    port 443
    protocol tcp
    add  service SSL-MYDOMAIN
    active


  content testhttp
    vip  address 192.168.33.102
    protocol tcp
    port 80
    url  "/*"
    add service SSL-REWRITE
    active


CSS11503#


Thank you  in advance

Correct Answer by pcoughlin01 about 7 years 1 week ago

I don't believe this is possible using a single rule.  See post https://supportforums.cisco.com/message/457788#457788

for more information.  I ran into a similar situation and had to create multiple rules with the same VIP, but different URL's and redirect services (see below)


Hope this helps.

Pat



service redirect-tenant2
  keepalive type none
  type redirect
  no prepend-http
  domain https://tenant2.yourdomain.com


service redirect-tenant3
  keepalive type none
  type redirect
  no prepend-http
  domain https://tenant3.yourdomain.com


service redirect-tenant4
  keepalive type none
  type redirect
  no prepend-http
  domain "https://tenant4.yourdomain.com"


  content tenant2
    vip address 192.168.99.1
    protocol tcp
    port 80
    url "//tenant2.yourdomain.com/*"
    add service redirect-tenant2


  content tenant3
    vip address 192.168.99.1
    protocol tcp
    port 80
    url "//tenant3.yourdomain.com/*"
    add service redirect-tenant3


  content tenant4
    vip address 192.168.99.1
    protocol tcp
    port 80
    url "//tenant4.yourdomain.com/*"
    add service redirect-tenant4

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
pcoughlin01 Mon, 07/19/2010 - 04:32
User Badges:

I don't believe this is possible using a single rule.  See post https://supportforums.cisco.com/message/457788#457788

for more information.  I ran into a similar situation and had to create multiple rules with the same VIP, but different URL's and redirect services (see below)


Hope this helps.

Pat



service redirect-tenant2
  keepalive type none
  type redirect
  no prepend-http
  domain https://tenant2.yourdomain.com


service redirect-tenant3
  keepalive type none
  type redirect
  no prepend-http
  domain https://tenant3.yourdomain.com


service redirect-tenant4
  keepalive type none
  type redirect
  no prepend-http
  domain "https://tenant4.yourdomain.com"


  content tenant2
    vip address 192.168.99.1
    protocol tcp
    port 80
    url "//tenant2.yourdomain.com/*"
    add service redirect-tenant2


  content tenant3
    vip address 192.168.99.1
    protocol tcp
    port 80
    url "//tenant3.yourdomain.com/*"
    add service redirect-tenant3


  content tenant4
    vip address 192.168.99.1
    protocol tcp
    port 80
    url "//tenant4.yourdomain.com/*"
    add service redirect-tenant4

Glenn R Mon, 07/19/2010 - 05:39
User Badges:

Thank you for your response.


After much reading and head scratching I have concluded that what you mentioned is the only way to be able to do this. The problem I have is that off our wildcard we have 2500 sites i.e. test1.domain.com - test2500.domain.com  and do not feel like typing in a large list for each A record.


So what I would hve liked is not achievable as you mentioned in my situation and I have had to rethink this.


What I have done is change my Apache servers indexpage to redirect to another named page with a redirect rule.


Like follows:


CSS -->VIP for -- http://test1.domain.com/index.php

Apache --> redirect to --  header("Location: https://" . $_SERVER['HTTP_HOST'] . "/newpage.php");


So the switch keeps the VIP the same but just switches to https.


Not perfect but works


Thank you

Actions

This Discussion