09-29-2011 08:43 AM
Is it possible to configure the ACE to redirect a URL to HTTPS? I don't want to redirect the entire site, only certain pages.
Thanks.
Jason
10-02-2011 11:59 AM
Make a class-map matching the URLs you want to redirect and use redirect rserver to push the redirection.
10-04-2011 02:55 AM
Hi Jason,
As Surya mentioned you can do it with classifying the URLs.
However , you need make sure about the proper regex , otherwise it will never work
I have struggled a bit to get this done.... but was able to achieve it
we have done the same model only specific URLs of the website needed to be redirected rest of all pure http
if you can provide the URL samples i can help you with
-Parvees
10-05-2011 08:01 AM
Here is the config as I have it now, and it does not work.
The names and IPs have been changed to protect the innocent.
ssl-proxy service WEBSITE_SSL_PROXY
key WebsitePrivate.pem
cert WebsitePublic.pem
rserver redirect HTTP2HTTPS_REDIRECT
webhost-redirection https://%h 301
inservice
serverfarm redirect HTTP2HTTPS_REDIRECT_FARM
rserver HTTP2HTTPS_REDIRECT
inservice
serverfarm host WEBFARM
predictor leastconns
probe http_connect
rserver WEBSERVER1 80
inservice
rserver WEBSERVER2 80
inservice
parameter-map type http HTTP_PARAM_MAP
header modify per-request
sticky ip-netmask 255.255.255.255 address source WEBFARM
timeout 60
replicate sticky
serverfarm WEBFARM
class-map match-any VIP_WEBFARM_HTTPS
3 match virtual-address 10.10.10.10 tcp eq https
class-map match-any VIP_WEBFARM_WWW
3 match virtual-address 10.10.10.10 tcp eq www
class-map type http loadbalance match-any HTTPS_REDIRECT_BY_URL
match http url http://website.url/Admin.aspx
match http url http://website.url/Admin/
match http url http://website.url/Host/
match http url http://website.url/PatientsAndVisitors/GiftShop.aspx
match http url http://website.url/PatientsAndVisitors/GiftShop/
match http url http://website.url/PatientsAndVisitors/PrayerRequest.aspx
match http url http://website.url/PatientsAndVisitors/PrayerRequest/
match http url http://website.url/PatientsAndVisitors/SendanEcard.aspx
match http url http://website.url/PatientsAndVisitors/SendanEcard/
match http url http://website.url/Donate.aspx
match http url http://website.url/Donate/
policy-map type loadbalance http first-match PM_WEBFARM_HTTPS_REDIRECT_BY_URL
class HTTPS_REDIRECT_BY_URL
sticky-serverfarm WEBFARM
class class-default
sticky-serverfarm WEBFARM
policy-map type loadbalance first-match PM_WEBFARM
class class-default
sticky-serverfarm WEBFARM
policy-map multi-match CLIENTSIDE_VIPS
class VIP_WEBFARM_WWW
loadbalance vip inservice
loadbalance policy PM_WEBFARM_HTTPS_REDIRECT_BY_URL
loadbalance vip icmp-reply active
class VIP_WEBFARM_HTTPS
loadbalance vip inservice
loadbalance policy PM_WEBFARM
loadbalance vip icmp-reply active
appl-parameter http advanced-options HTTP_PARAM_MAP
ssl-proxy server WEBSITE_SSL_PROXY
10-05-2011 02:11 PM
Your class-map is wrong, you musn't put the whole URI but only the path instead.
It should be something close to (not sure about the exact syntax) :
class-map type http loadbalance match-all HOSTNAME
2 match http header Host header-value "website[.]url[.]com"
class-map type http loadbalance match-any PATH
match http url /Admin.aspx
match http url /Admin/
match http url /Host/
match http url PatientsAndVisitors/GiftShop.aspx
match http url /PatientsAndVisitors/GiftShop/
match http url /PatientsAndVisitors/PrayerRequest.aspx
match http url /PatientsAndVisitors/PrayerRequest/
match http url /PatientsAndVisitors/SendanEcard.aspx
match http url /PatientsAndVisitors/SendanEcard/
match http url /Donate.aspx
match http url /Donate/
class-map type http loadbalance match-all CM-REDIRECT
2 class HOSTNAME
3 class PATH
10-06-2011 04:12 AM
Hi.
Is it ok ? Just let me knoww if you need further assistance.
10-06-2011 12:07 PM
Well, it's still not working.
Here is my config now:
rserver redirect HTTP2HTTPS_REDIRECT
webhost-redirection https://%h%p 301
inservice
serverfarm redirect HTTP2HTTPS_REDIRECT_FARM
rserver HTTP2HTTPS_REDIRECT
inservice
class-map match-any VIP_WEBFARM_STAGING_WWW
3 match virtual-address 10.128.193.251 tcp eq www
class-map type http loadbalance match-any SECURE_URL
match http url /Admin.aspx
match http url /Admin/
match http url /Host/
match http url /PatientsAndVisitors/GiftShop.aspx
match http url /PatientsAndVisitors/GiftShop/
match http url /PatientsAndVisitors/PrayerRequest.aspx
match http url /PatientsAndVisitors/PrayerRequest/
match http url /PatientsAndVisitors/SendanEcard.aspx
match http url /PatientsAndVisitors/SendanEcard/
match http url /Donate.aspx
match http url /Donate/
class-map type http loadbalance match-all STAGING_HOSTNAME
2 match http header Host header-value "staging[.]ctmc[.]org"
class-map type http loadbalance match-all HTTPS_REDIRECT
2 match class-map STAGING_HOSTNAME
3 match class-map SECURE_URL
policy-map type loadbalance http first-match PM_WEBFARM_STAGING_URL_REDIRECT
description Policy map used if site requires HTTPS redirection based on URL
class HTTPS_REDIRECT
serverfarm HTTP2HTTPS_REDIRECT_FARM
class class-default
sticky-serverfarm WEBFARM_STAGING
policy-map multi-match CLIENTSIDE_VIPS
class VIP_WEBFARM_STAGING_WWW
loadbalance vip inservice
loadbalance policy PM_WEBFARM_STAGING_URL_REDIRECT
loadbalance vip icmp-reply active
10-06-2011 12:15 PM
ok let's make some tests :
by only using the class-map
class-map type http loadbalance match-all STAGING_HOSTNAME
2 match http header Host header-value "staging[.]ctmc[.]org"
the whole site should be redirect, does it work if you call this class map in your policy-map ?
Then let's try the class-map with the various paths only (remove the class-map with the hostname).
You can try first with only one path, for example
class-map type http loadbalance match-any SECURE_URL
match http url /Admin/
Does it work ? Then try with the full list of hostnames.
Which version of code do you use ?
I know those regular expressions are tricky, here is an example which works in production for me :
class-map type http loadbalance match-all DRIVE-360-CM
2 match http header Host header-value "360[.]xxxx[.]fr"
class-map type http loadbalance match-all DRIVE-HTTP-FAGNIERES-CM
2 match http header Host header-value "www[.]xxxx[.]fr"
3 match http url /055102/.*
class-map type http loadbalance match-all DRIVE-HTTP-STMARTIN-CM
2 match http header Host header-value "www[.]xxxx[.]fr"
3 match http url /055101/.*
10-06-2011 01:49 PM
It looks like it's the URL portion.
I tried it with just the hostname/header and it worked. But once I removed the header and added the URL class-map, it wouldn't redirect.
We're using Version A2(2.4).
Do I need to add wildcards? Like you have in your working configs maybe?
Thanks.
10-06-2011 01:54 PM
Ok, I'm getting halfway there. I added .* to the end of the directory URLs, and the redirect works now:
2 match http url /Admin.aspx
3 match http url /Admin/.*
4 match http url /Host/.*
5 match http url /PatientsAndVisitors/GiftShop.aspx
6 match http url /PatientsAndVisitors/GiftShop/.*
7 match http url /PatientsAndVisitors/PrayerRequest.aspx
8 match http url /PatientsAndVisitors/PrayerRequest/.*
9 match http url /PatientsAndVisitors/SendanEcard.aspx
10 match http url /PatientsAndVisitors/SendanEcard/.*
11 match http url /Donate.aspx
12 match http url /Donate/.*
But how do I get the specific aspx pages to redirect?
Thanks.
Jason
10-06-2011 01:59 PM
what about putting the ".*" pattern at the end of your URL ? even if there is no slash "/"
10-06-2011 01:57 PM
Here is the reference guide regarding regex.
If you configure only one statement (path) in the class-map does it work ?
Wht does it happen if you disable and enable the service policy from the vlan interface ?
10-07-2011 07:33 AM
I'll check out the regex guide, but I wanted to mention too, that after testing, the directory redirect isn't working consistently. Some pages within the directory will redirect to https and others won't. Then, sometimes, a page that previously did redirect doesn't when I go there again.
I don't know what kind of influence it has, but I also wanted to confirm my redirect rserver is correct. I'm using:
rserver redirect HTTP2HTTPS_REDIRECT
webhost-redirection https://%h%p 301
inservice
Is the 301 status code the right one to use?
Thanks.
Jason
10-07-2011 07:36 AM
The 301 code is fine and your config seems to be correct.
Which product do you use ? Module or appliance ? I recommend an upgrade, to me your config is correct.
10-07-2011 10:07 AM
We're using the ACE module for the 6500.
I'm considering an upgrade. As of right now, it seems like the url matching isn't working properly.
Just out of curiousity, is there some logging I can look at that will tell me if the rules are being matched?
Thanks.
Jason
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: