Solved: Re: ACE redirect forcing www. in hostname?

bover · ‎01-06-2012

Hello all. I'm currently working on trying to set up a redirect that will force the use of www. in the hostname for incoming requests. Example: Client requests https://domain.com and I'd like to send a redirect back forcing them to use https://www.domain.com. The creation of the redirect rserver using "http://www.%h 302" seems simple enough, but it's the class-map url matches that are hanging me up. I've played around with a lot of different configs, but can't seem to find the correct regexp for requests where the hostname is lacking "www." Any ideas?

Surya ARBY · ‎01-10-2012

You can't cheat on this one.

The most simple solution is to change the name boud on the certificate to a wildcard "*.domain.com"

View solution in original post

Surya ARBY · ‎01-07-2012

Please post your config.

Borys Berlog · ‎01-10-2012

Hi

Firtsly you can't really check URL (I mean that thing that user typed in browser) as it's local for user, you can check only something which is sent via network. In your case it's HTTP header , filed : Host. However to check it inside HTTPS you firstly need to decrypt session. Thus to move further with your checking you need to have SSL termination on ACE.

About regexp try to play with something like that

match http header Host header-value "[^www\.]..*\...*"

This thing matchs everything like asd.asd but don't match www.asd.asd, so you can try to use it and apply redirection serverfarm under such condition.

BTW, I guess you have a typo and redirect server should use https://www.%h 302

(that "url" keyword in class map configuration is about request field in HTTP header, e.g. if url is nice.com/nice.html this field will be nice.html, so you won't be able to parse it for www or any such things)

bover · ‎01-10-2012

Thanks. That helps a lot but unfortunately, it's still not working. Here's the relevant portions of my config (serverfarm of real webservers and ssl-proxy stuff omitted). What am I missing? Is the config incorrect, or is this a matter of order-of-operations for standard SSL handshake and requests making this functionality impossible?

rserver redirect no-www-redirect

webhost-redirection https://www.%h 302

inservice

serverfarm redirect no-www-redirect

rserver no-www-redirect

inservice

class-map type http loadbalance match-any no-www-redirect-l7

2 match http header Host header-value "[^www\.]..*\...*"

policy-map type loadbalance first-match wsssl-l7

class no-www-redirect-l7

serverfarm no-www-redirect

class class-default

sticky-serverfarm wsssl

policy-map multi-match ws-web-inbound

class wsssl-5620-l4

loadbalance vip inservice

loadbalance policy wsssl-l7

loadbalance vip icmp-reply

ssl-proxy server wsssl-5620

bover · ‎01-10-2012

Actually, this is working but not in the way I wanted it to. The root of the problem here is that I've got a couple of SSL sites that have certificates set up for the www hostname only. They haven't upgraded to the multi-site certs yet. This means that attempts to hit www.site.com work fine and dandy, but attempts to hit site.com generate a cert error. With this config in place, the error still pops up but if you accept the exception and proceed the redirect to use www.site.com works properly.

The whole point of this exercise was to try and provide a solution with the ACE to avoid the cert warnings when www. was omitted from the hostname in the request. I guess I answered my own question about the functionality being impossible due to the order of operations in an SSL handshake and request, eh? Thanks for the help.

Surya ARBY · ‎01-10-2012

You can't cheat on this one.

The most simple solution is to change the name boud on the certificate to a wildcard "*.domain.com"