cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4649
Views
0
Helpful
34
Replies

ACE Redirection to HTTPS by URL

jason.williams
Level 1
Level 1

Is it possible to configure the ACE to redirect a URL to HTTPS?  I don't want to redirect the entire site, only certain pages.

Thanks.

Jason

34 Replies 34

Surya ARBY
Level 4
Level 4

Make a class-map matching the URLs you want to redirect and use redirect rserver to push the redirection.

Hi Jason,

As Surya mentioned you can do it with classifying the URLs.

However , you need make sure about the proper regex , otherwise it will never work

I have struggled a bit to get this done.... but was able to achieve it

we have done the same model only specific URLs of the website needed to be redirected rest of all pure http

if you can provide the URL samples i can help you with

-Parvees

Here is the config as I have it now, and it does not work. 

The names and IPs have been changed to protect the innocent.

ssl-proxy service WEBSITE_SSL_PROXY

  key WebsitePrivate.pem

  cert WebsitePublic.pem

rserver redirect HTTP2HTTPS_REDIRECT

  webhost-redirection https://%h 301

    inservice

serverfarm redirect HTTP2HTTPS_REDIRECT_FARM

  rserver HTTP2HTTPS_REDIRECT

    inservice

serverfarm host WEBFARM

  predictor leastconns

  probe http_connect

  rserver WEBSERVER1 80

    inservice

  rserver WEBSERVER2 80

    inservice

parameter-map type http HTTP_PARAM_MAP

  header modify per-request

sticky ip-netmask 255.255.255.255 address source WEBFARM

  timeout 60

  replicate sticky

  serverfarm WEBFARM

class-map match-any VIP_WEBFARM_HTTPS

  3 match virtual-address 10.10.10.10 tcp eq https

class-map match-any VIP_WEBFARM_WWW

  3 match virtual-address 10.10.10.10 tcp eq www

class-map type http loadbalance match-any HTTPS_REDIRECT_BY_URL

  match http url http://website.url/Admin.aspx

  match http url http://website.url/Admin/

  match http url http://website.url/Host/

  match http url http://website.url/PatientsAndVisitors/GiftShop.aspx

  match http url http://website.url/PatientsAndVisitors/GiftShop/

  match http url http://website.url/PatientsAndVisitors/PrayerRequest.aspx

  match http url http://website.url/PatientsAndVisitors/PrayerRequest/

  match http url http://website.url/PatientsAndVisitors/SendanEcard.aspx

  match http url http://website.url/PatientsAndVisitors/SendanEcard/

  match http url http://website.url/Donate.aspx

  match http url http://website.url/Donate/

policy-map type loadbalance http first-match PM_WEBFARM_HTTPS_REDIRECT_BY_URL

  class HTTPS_REDIRECT_BY_URL

    sticky-serverfarm WEBFARM

  class class-default

    sticky-serverfarm WEBFARM

policy-map type loadbalance first-match PM_WEBFARM

  class class-default

    sticky-serverfarm WEBFARM

policy-map multi-match CLIENTSIDE_VIPS

  class VIP_WEBFARM_WWW

    loadbalance vip inservice

    loadbalance policy PM_WEBFARM_HTTPS_REDIRECT_BY_URL

    loadbalance vip icmp-reply active

  class VIP_WEBFARM_HTTPS

    loadbalance vip inservice

    loadbalance policy PM_WEBFARM

    loadbalance vip icmp-reply active

    appl-parameter http advanced-options HTTP_PARAM_MAP

    ssl-proxy server WEBSITE_SSL_PROXY

Your class-map is wrong, you musn't put the whole URI but only the path instead.

It should be something close to (not sure about the exact syntax) :

class-map type http loadbalance match-all HOSTNAME

  2 match http header Host header-value "website[.]url[.]com"

class-map type http loadbalance match-any PATH

  match http url /Admin.aspx

  match http url /Admin/

  match http url /Host/

  match http url PatientsAndVisitors/GiftShop.aspx

  match http url /PatientsAndVisitors/GiftShop/

  match http url /PatientsAndVisitors/PrayerRequest.aspx

  match http url /PatientsAndVisitors/PrayerRequest/

  match http url /PatientsAndVisitors/SendanEcard.aspx

  match http url /PatientsAndVisitors/SendanEcard/

  match http url /Donate.aspx

  match http url /Donate/

class-map type http loadbalance match-all CM-REDIRECT

  2 class HOSTNAME

  3 class PATH

Hi.

Is it ok ? Just let me knoww if you need further assistance.

Well, it's still not working.

Here is my config now:

rserver redirect HTTP2HTTPS_REDIRECT

  webhost-redirection https://%h%p 301

    inservice

serverfarm redirect HTTP2HTTPS_REDIRECT_FARM

  rserver HTTP2HTTPS_REDIRECT

    inservice

class-map match-any VIP_WEBFARM_STAGING_WWW

  3 match virtual-address 10.128.193.251 tcp eq www

class-map type http loadbalance match-any SECURE_URL

  match http url /Admin.aspx

  match http url /Admin/

  match http url /Host/

  match http url /PatientsAndVisitors/GiftShop.aspx

  match http url /PatientsAndVisitors/GiftShop/

  match http url /PatientsAndVisitors/PrayerRequest.aspx

  match http url /PatientsAndVisitors/PrayerRequest/

  match http url /PatientsAndVisitors/SendanEcard.aspx

  match http url /PatientsAndVisitors/SendanEcard/

  match http url /Donate.aspx

  match http url /Donate/

class-map type http loadbalance match-all STAGING_HOSTNAME

  2 match http header Host header-value "staging[.]ctmc[.]org"

class-map type http loadbalance match-all HTTPS_REDIRECT

  2 match class-map STAGING_HOSTNAME

  3 match class-map SECURE_URL

policy-map type loadbalance http first-match PM_WEBFARM_STAGING_URL_REDIRECT

  description Policy map used if site requires HTTPS redirection based on URL

  class HTTPS_REDIRECT

    serverfarm HTTP2HTTPS_REDIRECT_FARM

  class class-default

    sticky-serverfarm WEBFARM_STAGING

policy-map multi-match CLIENTSIDE_VIPS

  class VIP_WEBFARM_STAGING_WWW

    loadbalance vip inservice

    loadbalance policy PM_WEBFARM_STAGING_URL_REDIRECT

    loadbalance vip icmp-reply active

ok let's make some tests :

by only using the class-map

class-map type http loadbalance match-all STAGING_HOSTNAME

  2 match http header Host header-value "staging[.]ctmc[.]org"

the whole site should be redirect, does it work if you call this class map in your policy-map ?

Then let's try the class-map with the various paths only (remove the class-map with the hostname).

You can try first with only one path, for example

class-map type http loadbalance match-any SECURE_URL

  match http url /Admin/

Does it work ? Then try with the full list of hostnames.

Which version of code do you use ?

I know those regular expressions are tricky, here is an example which works in production for me :

class-map type http loadbalance match-all DRIVE-360-CM

  2 match http header Host header-value "360[.]xxxx[.]fr"

class-map type http loadbalance match-all DRIVE-HTTP-FAGNIERES-CM

  2 match http header Host header-value "www[.]xxxx[.]fr"

  3 match http url /055102/.*

class-map type http loadbalance match-all DRIVE-HTTP-STMARTIN-CM

  2 match http header Host header-value "www[.]xxxx[.]fr"

  3 match http url /055101/.*

It looks like it's the URL portion.

I tried it with just the hostname/header and it worked.  But once I removed the header and added the URL class-map, it wouldn't redirect.

We're using Version A2(2.4).

Do I need to add wildcards?  Like you have in your working configs maybe?

Thanks.

Ok, I'm getting halfway there.  I added .* to the end of the directory URLs, and the redirect works now:

  2 match http url /Admin.aspx

  3 match http url /Admin/.*

  4 match http url /Host/.*

  5 match http url /PatientsAndVisitors/GiftShop.aspx

  6 match http url /PatientsAndVisitors/GiftShop/.*

  7 match http url /PatientsAndVisitors/PrayerRequest.aspx

  8 match http url /PatientsAndVisitors/PrayerRequest/.*

  9 match http url /PatientsAndVisitors/SendanEcard.aspx

  10 match http url /PatientsAndVisitors/SendanEcard/.*

  11 match http url /Donate.aspx

  12 match http url /Donate/.*

But how do I get the specific aspx pages to redirect?

Thanks.

Jason

what about putting the ".*" pattern at the end of your URL ? even if there is no slash "/"

Here is the reference guide regarding regex.

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/classlb.html#wp1313278

If you configure only one statement (path) in the class-map does it work ?

Wht does it happen if you disable and enable the service policy from the vlan interface ?

I'll check out the regex guide, but I wanted to mention too, that after testing, the directory redirect isn't working consistently.  Some pages within the directory will redirect to https and others won't.  Then, sometimes, a page that previously did redirect doesn't when I go there again.

I don't know what kind of influence it has, but I also wanted to confirm my redirect rserver is correct.  I'm using:

rserver redirect HTTP2HTTPS_REDIRECT

  webhost-redirection https://%h%p 301

    inservice

Is the 301 status code the right one to use?

Thanks.

Jason

The 301 code is fine and your config seems to be correct.

Which product do you use ? Module or appliance ? I recommend an upgrade, to me your config is correct.

We're using the ACE module for the 6500.

I'm considering an upgrade.  As of right now, it seems like the url matching isn't working properly.

Just out of curiousity, is there some logging I can look at that will tell me if the rules are being matched?

Thanks.

Jason

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: