Introduction
In Cisco ACE configuration Real servers are dedicated physical servers that you typically configure in groups called server farms. Server farms are groups of networked real servers that contain the same content and that typically reside in the same physical location in a data center. Web sites often comprise groups of servers configured in a server farm. Load-balancing software distributes client requests for content or services among the real servers based on the configured policy and traffic classification, server availability and load, and other factors.
This document describes a scenario where ACE is used to redirect traffic from HTTP connection to HTTPS connection using SSL termination.
SSL Termination
SSL termination occurs when the ACE, acting as an SSL proxy server, terminates an SSL connection from a client and then establishes a TCP connection to an HTTP server. When the ACE terminates the SSL connection, it decrypts the ciphertext from the client and transmits the data as clear text to an HTTP server. In order for the Cisco ACE to be able to terminate SSL sessions, it will need to be configured with both an SSL certificate and a corresponding SSL key. SSL files (both certificate and key) can either be generated using a tool such as OpenSSL or requested from a certificate authority. The SSL termination configuration begins like the basic Layer 4 load-balancing configuration, by defining a VIP and corresponding server farm and rservers. Although the VIP can be configured with a port of “any,” the ACE will do a TCP reset on any non-SSL connections. To prevent this, it is recommended that you bind the VIP to a port.
Configure
In this example clients that connect to the VIP on port 80 (HTTP) will be redirected to the same FQDN and path using port 443 (HTTPS). Clients will then open an HTTPS session to the ACE where the SSL session will be terminated and load balanced to the real servers.
You can use redirect rserver to redirect HTTP connections to HTTPS. The HTTP-to-HTTPS redirect in this example is a 301 redirect (permanent). The 301 can be either removed or changed to 302 to revert to the default of a temporary redirect.
rserver redirect REDIRECT-TO-HTTPS
webhost-redirection https://%h%p 301
inservice
rserver host SERVER_01
ip address 10.10.10.20
inservice
rserver host SERVER_02
ip address 10.10.10.21
inservice
ssl-proxy service SSL_SERVICE
key mykey.pem
cert mycert.pem
serverfarm redirect REDIRECT-SERVERFARM
rserver REDIRECT-TO-HTTPS
inservice
serverfarm host REAL_SERVERS
rserver SERVER_01 80
inservice
rserver SERVER_02 80
inservice
class-map match-all HTTP-VIP
2 match virtual-address 172.21.162.178 tcp eq http
class-map match-all HTTPS-VIP
2 match virtual-address 172.21.162.178 tcp eq https
policy-map type loadbalance first-match REDIRECT-PM
class class-default
serverfarm REDIRECT-SERVERFARM
policy-map type loadbalance first-match LOAD-BALANCE-PM
class class-default
serverfarm REAL-SERVERS
policy-map multi-match WEB-TRAFFIC
class HTTP-VIP
loadbalance vip inservice
loadbalance policy REDIRECT-PM
loadbalance vip icmp-reply
class HTTPS-VIP
loadbalance vip inservice
loadbalance policy LOAD-BALANCE-PM
loadbalance vip icmp-reply active
ssl-proxy server SSL_SERVICE
HTTPS to HTTPS Redirection
In case of HTTPS, to do the redirection, ACE should first be able to look into the HTTP header and that is possible by doing ssl termination and then loadbalancing the request to redirect serverfarm. The URL/URI rewrite feature was introduced in A5 train. The HTTP URL rewrite feature enables the ACE to rewrite URI/URL pathnames in HTTP requests. You can rewrite the URL value in an HTTP request from a client using the url rewrite command in action-list modify configuration mode.
url rewrite url_regex replace new_url_regex
Related Information
Configuring SSL Termination
SSL Termination on the Cisco Application Control Engine
ACE URL rewrite SSL from HTTP to HTTPS