01-06-2012 12:25 PM
Hello all. I'm currently working on trying to set up a redirect that will force the use of www. in the hostname for incoming requests. Example: Client requests https://domain.com and I'd like to send a redirect back forcing them to use https://www.domain.com. The creation of the redirect rserver using "http://www.%h 302" seems simple enough, but it's the class-map url matches that are hanging me up. I've played around with a lot of different configs, but can't seem to find the correct regexp for requests where the hostname is lacking "www." Any ideas?
Solved! Go to Solution.
01-10-2012 11:35 AM
You can't cheat on this one.
The most simple solution is to change the name boud on the certificate to a wildcard "*.domain.com"
01-07-2012 01:15 AM
Please post your config.
01-10-2012 08:12 AM
Hi
Firtsly you can't really check URL (I mean that thing that user typed in browser) as it's local for user, you can check only something which is sent via network. In your case it's HTTP header , filed : Host. However to check it inside HTTPS you firstly need to decrypt session. Thus to move further with your checking you need to have SSL termination on ACE.
About regexp try to play with something like that
match http header Host header-value "[^www\.]..*\...*"
This thing matchs everything like asd.asd but don't match www.asd.asd, so you can try to use it and apply redirection serverfarm under such condition.
BTW, I guess you have a typo and redirect server should use https://www.%h 302
(that "url" keyword in class map configuration is about request field in HTTP header, e.g. if url is nice.com/nice.html this field will be nice.html, so you won't be able to parse it for www or any such things)
01-10-2012 09:56 AM
Thanks. That helps a lot but unfortunately, it's still not working. Here's the relevant portions of my config (serverfarm of real webservers and ssl-proxy stuff omitted). What am I missing? Is the config incorrect, or is this a matter of order-of-operations for standard SSL handshake and requests making this functionality impossible?
rserver redirect no-www-redirect
webhost-redirection https://www.%h 302
inservice
serverfarm redirect no-www-redirect
rserver no-www-redirect
inservice
class-map type http loadbalance match-any no-www-redirect-l7
2 match http header Host header-value "[^www\.]..*\...*"
policy-map type loadbalance first-match wsssl-l7
class no-www-redirect-l7
serverfarm no-www-redirect
class class-default
sticky-serverfarm wsssl
policy-map multi-match ws-web-inbound
class wsssl-5620-l4
loadbalance vip inservice
loadbalance policy wsssl-l7
loadbalance vip icmp-reply
ssl-proxy server wsssl-5620
01-10-2012 11:21 AM
Actually, this is working but not in the way I wanted it to. The root of the problem here is that I've got a couple of SSL sites that have certificates set up for the www hostname only. They haven't upgraded to the multi-site certs yet. This means that attempts to hit www.site.com work fine and dandy, but attempts to hit site.com generate a cert error. With this config in place, the error still pops up but if you accept the exception and proceed the redirect to use www.site.com works properly.
The whole point of this exercise was to try and provide a solution with the ACE to avoid the cert warnings when www. was omitted from the hostname in the request. I guess I answered my own question about the functionality being impossible due to the order of operations in an SSL handshake and request, eh? Thanks for the help.
01-10-2012 11:35 AM
You can't cheat on this one.
The most simple solution is to change the name boud on the certificate to a wildcard "*.domain.com"
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: