cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1741
Views
0
Helpful
4
Replies

ACE 30 redirect question

derek wilson
Level 1
Level 1

Hi

I have a ACE 30 with a VIP listening on 443 the passing traffic out to the rservers also on 443 - no ssl offload.

Is it possible to have a redirect for clients coming in on http to redirect to https?

Any config examples would be handy.

thanks

4 Replies 4

Jorge Bejarano
Level 4
Level 4

Derek, maybe you can check this link: https://supportforums.cisco.com/document/12439761/cisco-ace-http-https-redirection-ssl-termination

Hope this helps!

Jorge

Don´t forget to rate the answer.

Ahmed Sabanaa
Level 1
Level 1
hi dear ,
have you got answer about the above question , since i have the same query ?

Hi,

 

you can try this configuration

 

rserver redirect rserver-redir_HTTPtoHTTPS
  webhost-redirection https://%h/%p 301
  inservice

serverfarm redirect sfarm-redirect_HTTPtoHTTPS
  rserver rserver-redir_HTTPtoHTTPS
    inservice

class-map match-any cmap-vip_HTTPtoHTTPS
  2 match virtual-address 192.168.10.10 tcp eq www


policy-map type loadbalance first-match pmap-lb_HTTPtoHTTPS
  class class-default
    serverfarm sfarm-redirect_HTTPtoHTTPS
policy-map multi-match pmap_whatever
  class cmap-vip_HTTPtoHTTPS
    loadbalance vip inservice
    loadbalance policy pmap-lb_HTTPtoHTTPS

I will give you for one rserver, one serverfarm, one class map. You please do that same for rest of them. Test one first and replicate to others.

rserver redirect QA-group_1_redirect_rserver

  webhost-redirection

https://10.37.5.93/  302

  inservice

This is the redirect server.

rserver host QA-1.1

  ip address 10.37.5.111

  inservice

rserver host QA-1.2

  ip address 10.37.5.88

  inservice

Normal servers to which the traffic would be loadbalanced.

serverfarm redirect SF_QA-group_1_REDIRECT

  rserver QA-group_1_redirect_rserver

    inservice

This is redirect serverfarm

serverfarm host SF_QA-group_1_HTTPS

  failaction reassign

  predictor leastconns

  rserver QA-1.1 443

    inservice

  rserver QA-1.2 443

    inservice

Normal serverfarm with two rservers in it to which we will loadbalance the traffic.

class-map match-all QA-group_1_HTTP

  3 match virtual-address 10.37.5.93 tcp eq www

The class-map is condition for redirection. If user comes on 10.37.5.93 on 80.

class-map match-all QA-group_1_HTTPS

  3 match virtual-address 10.37.5.93 tcp eq https

Condition for user coming on port 443

policy-map type loadbalance first-match QA-group_1_REDIRECT

  class class-default

    serverfarm SF_QA-group_1_REDIRECT

This is a policy or action which ACE will take after the condition matches which is to redirect.

policy-map type loadbalance first-match QA_GROUP1_HTPPS

  class class-default

    serverfarm SF_QA-group_1_HTTPS

This is for HTTPS

policy-map multi-match SERVICE_VIPS
  class QA-group_1_HTTP
    loadbalance vip inservice
    loadbalance policy QA-group_1_REDIRECT
    loadbalance vip icmp-reply
  class QA-group_1_HTTPS
    loadbalance vip inservice
    loadbalance policy QA_GROUP1_HTPPS
    loadbalance vip icmp-reply

Same action is applied to the policy. If it matches class QA-group_1_HTTP, redirect it, since redirect policy is applied and if it matches class QA-group_1_HTTPS, loadbalance the traffic since LB policy is applied.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: