Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACE 4710 - Redirect HTTP to HTTPS

Hi Cisco Support community

I am trying to make a redirect from http to https. the goal is whenever a user writes in http://10.80.199.71 it should be redirected to https://10.80.199.71

I am just haveing some trouble making it work. :S

I have attached the settings i have made. could be nice if someone could tell me what i am doing wrong here.

Thanks.

Everyone's tags (7)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

ACE 4710 - Redirect HTTP to HTTPS

Hi,

Just modified your config a little. Let me know if it works for you.

---------------------------------------------------------------------------------------------

access-list Servers line 1 extended permit tcp any any eq https

access-list Servers line 5 extended permit tcp any any eq www

access-list Servers line 6 extended permit ip any any

access-list Servers line 7 extended permit icmp any any

rserver host Sharepoint_2010_SRV1

  description Sharepoint 2010

  ip address 10.80.6.96

  conn-limit max 4000000 min 4000000

  probe ACE_TCP

  inservice

rserver host Sharepoint_2010_SRV2

  description Sharepoint 2010

  ip address 10.80.6.114

  conn-limit max 4000000 min 4000000

  probe ACE_TCP

  inservice

rserver redirect Sharepoint_HTTPS_Redirect

  webhost-redirection https://%h%p 302

  inservice

serverfarm redirect SharePoint_HTTPS_SFarm

  rserver Sharepoint_HTTPS_Redirect

    inservice

serverfarm host Sharepoint_2010_Serverfarm

  description Sharepoint_2010

  rserver Sharepoint_2010_SAE_SRV1

    inservice

  rserver Sharepoint_2010_SAE_SRV2

    inservice

class-map match-all Sharepoint_2010_VIP_HTTP

  description Match HTTP

  2 match virtual-address 10.80.199.71 tcp eq www

class-map match-all Sharepoint_2010_VIP_HTTPS

  description Match HTTPS

  2 match virtual-address 10.80.199.71 tcp eq https

policy-map type loadbalance first-match Sharepoint_HTTP

  class class-default

    serverfarm Sharepoint_HTTPS_Redirect

policy-map type loadbalance first-match Sharepoint_HTTPS

  class class-default

    serverfarm Sharepoint_2010_Serverfarm

policy-map multi-match int815

    class Sharepoint_2010_VIP_HTTP

    loadbalance vip inservice

    loadbalance policy Sharepoint_HTTP

    loadbalance vip icmp-reply active

    nat dynamic 1 vlan 801

  class Sharepoint_2010_VIP_HTTPS

    loadbalance vip inservice

    loadbalance policy Sharepoint_HTTPS

    loadbalance vip icmp-reply active

    nat dynamic 1 vlan 801

4 REPLIES
Cisco Employee

ACE 4710 - Redirect HTTP to HTTPS

Hello

This condition won't match anything :

  2 match http header Host header-value "http://10.80.199.71"

because in Host header you will never see http:// , it's host, so it can be 10.80.199.71.

But in your case I'd do it much simpler (you've already seprated requests to port 80 and 443 on L4 class maps) :

policy-map type loadbalance first-match Sharepoint_HTTP

class class-default

serverfarm SharePoint_HTTPS_SFarm

So, I don't see why you may need to check HTTP headers at all.

and everything else looks more or less ok (don't know why you may need NAT on redirection serverfarm)

policy-map multi-match int815

    class Sharepoint_2010_VIP_HTTP

    loadbalance vip inservice

    loadbalance policy Sharepoint_HTTP

    loadbalance vip icmp-reply active

    nat dynamic 1 vlan 801 <------ here

Basically requests comes to http://10.80.199.71, it gets to L4 class map

class-map match-all Sharepoint_2010_VIP_HTTP

  description Match HTTP

  2 match virtual-address 10.80.199.71 tcp eq www

because only this class map matches port 80 and then it needs to be redirected , so it goes to redirection serverfarm.

Your mistake was wrong host header -value (you may try to capture some http traffic on your PC and you will see that HTTP Host header is just host valie like 1.1.1.1 or google.com , without "http://") - so it never matchs. As I wrote above, I don't see a reason to do such matching at all.

Hope it helps.

If this answer resolved your problem please marked it as a correct one, it will help to keep our forum more organized.

Thank you.

Cisco Employee

ACE 4710 - Redirect HTTP to HTTPS

Hi,

Just modified your config a little. Let me know if it works for you.

---------------------------------------------------------------------------------------------

access-list Servers line 1 extended permit tcp any any eq https

access-list Servers line 5 extended permit tcp any any eq www

access-list Servers line 6 extended permit ip any any

access-list Servers line 7 extended permit icmp any any

rserver host Sharepoint_2010_SRV1

  description Sharepoint 2010

  ip address 10.80.6.96

  conn-limit max 4000000 min 4000000

  probe ACE_TCP

  inservice

rserver host Sharepoint_2010_SRV2

  description Sharepoint 2010

  ip address 10.80.6.114

  conn-limit max 4000000 min 4000000

  probe ACE_TCP

  inservice

rserver redirect Sharepoint_HTTPS_Redirect

  webhost-redirection https://%h%p 302

  inservice

serverfarm redirect SharePoint_HTTPS_SFarm

  rserver Sharepoint_HTTPS_Redirect

    inservice

serverfarm host Sharepoint_2010_Serverfarm

  description Sharepoint_2010

  rserver Sharepoint_2010_SAE_SRV1

    inservice

  rserver Sharepoint_2010_SAE_SRV2

    inservice

class-map match-all Sharepoint_2010_VIP_HTTP

  description Match HTTP

  2 match virtual-address 10.80.199.71 tcp eq www

class-map match-all Sharepoint_2010_VIP_HTTPS

  description Match HTTPS

  2 match virtual-address 10.80.199.71 tcp eq https

policy-map type loadbalance first-match Sharepoint_HTTP

  class class-default

    serverfarm Sharepoint_HTTPS_Redirect

policy-map type loadbalance first-match Sharepoint_HTTPS

  class class-default

    serverfarm Sharepoint_2010_Serverfarm

policy-map multi-match int815

    class Sharepoint_2010_VIP_HTTP

    loadbalance vip inservice

    loadbalance policy Sharepoint_HTTP

    loadbalance vip icmp-reply active

    nat dynamic 1 vlan 801

  class Sharepoint_2010_VIP_HTTPS

    loadbalance vip inservice

    loadbalance policy Sharepoint_HTTPS

    loadbalance vip icmp-reply active

    nat dynamic 1 vlan 801

ACE 4710 - Redirect HTTP to HTTPS

Hello,

You should change your SharePoint_HTTPS to look like this:

class-map type http loadbalance match-any SharePoint_HTTPS

  2 match http header Host header-value 10.80.199.71

This is little explanation about the process of the redirection for port 80.

-------------------------------------------------------------------------------------------

1) ACE will receive the traffic which matches the virtual address: 10.80.199.71 on port 80,

we are good here!!!.

2) ACE has a policy multimatch which will tell the ACE what the next step to follow will be, in this case you need to check the policy Sharepoint_HTTP,we go good.

3) ACE finally reaches policy Sharepoint_HTTP to see what he needs to do, so the gets there and says: "OK, I am here on the policy Sharepoint_HTTP but I have to match  SharePoint_HTTPS first to proceed further,(Since the traffic is on clear text at this point, ACE can match it but please notice this is extra step instead you "SHOULD" use a class class-default),ACE matches fine and finally sees he has a serverfarm type redirect which finally gets him to the rserver type redirect which fires the redirection. Good, we are done with the redirection from http to https!!!

Https process:

------------------------------

ACE now needs to do the same process to match the traffic which is now on port 443,meaning:

ACE matches:

1) policy-map multi-match int815 ---->class Sharepoint_2010_VIP_HTTPS

2) class Sharepoint_2010_VIP_HTTPS---->class SharePoint_HTTPS but here it is the problem!!!, traffic comes on port 443 which is totally encrypted then the ACE cannot see what the request got inside so he cannot do anything at that point then you have 2 possible solutions:

-If it is mandatory for you to analyze class SharePoint_HTTPS then you should decrypt it, using SSL termination for example, or if you need to analyze it and then encrypt it back to continue then you may need END_TO_END SSL.

-If it is NOT mandatory (hopefully) for you to analyze class SharePoint_HTTPS to continue you can just remove it and have as a class class-default instead,as in the sample of AJAY KUMAR above.

3) Let´s not use neither SSL-Termination nor END-TO-END SSL then ACE matches a class class-default which has inside this serverfarm: Sharepoint_2010_Serverfarm which finally has 2 servers: Sharepoint_2010_SRV1/Sharepoint_2010_SRV2

4)ACE takes a loadbalance decision and choose one of those servers and that´s it

Hope this helps!!!

Jorge

New Member

ACE 4710 - Redirect HTTP to HTTPS

It works now. Tried the sugggestion from Ajay and it works so thanks alot for the advice to all of you.

3722
Views
0
Helpful
4
Replies