05-12-2007 07:12 PM
I'm having some problems setting up a URL redirect from an ACE module. I have a class map that is matching content by VIP and I'm load balancing requests but I would like to be able to look at the source request and if it matches a specific list of IP's redirect the request to a different URL, and all other requests load balance to the server farm.
Thanks,
Bill
05-15-2007 05:00 AM
Bill,
you first need to classify the traffic.
Since you want different behavior depending on the source ip, you will need to use a class-map to match the ip the needs to be redirected.
ie:
class-map type http loadbalance match-all SRCIP1
match access-list ....
!
Then create 2 serverfarms.
One for loadbalancing and one for the url redirect.
Then create a policy-map that when matching your class-map above will use the redirect serverfarm and for the default class-map it uses the loadbalancing serverfarm
I hope this is clear enough like this.
If not, let me know.
Gilles.
05-17-2007 06:52 AM
Giles,
Thank you for your assistance. I have implemented the commands and can now redirect http traffic to another website based on source address. I'm still having problems redirecting SSL traffic. It appears that the ACE is sending back the redirect as clear text, instead of encrypting it and sending it back to the client. I have attached a copy of my config. Any suggestions would be greatly appreciated.
rserver redirect ENCORE-REDIRECT
webhost-redirection http://wserror.xyz.com 302
inservice
rserver host ORADS-RDR1
ip address 10.9.40.51
inservice
rserver host ORADS-RDR2
ip address 10.9.40.52
inservice
rserver host ORADS-RDR3
ip address 10.9.40.53
inservice
ssl-proxy service ENCORE_SSL_SERVER
key ROCENCORE.PEM
cert ROCENCORECERT.PEM
chaingroup ENCORE
serverfarm host ENCORE
failaction purge
probe ENCORE
rserver ORADS-RDR1 80
inservice
rserver ORADS-RDR2 80
inservice
rserver ORADS-RDR3 80
inservice
serverfarm redirect ENCORE-REDIRECT
rserver ENCORE-REDIRECT
inservice
sticky ip-netmask 255.255.255.255 address both ENCORE-sticky
timeout 130
serverfarm ENCORE
class-map match-all CLASS_MAP_ENCORE-http
2 match virtual-address 10.6.9.17 tcp eq www
class-map match-all CLASS_MAP_ENCORE-https
2 match virtual-address 10.6.9.17 tcp eq https
class-map type http loadbalance match-any CLASS_MAP_PROXIES
2 match source-address 10.6.171.10 255.255.255.255
3 match source-address 10.6.164.10 255.255.255.255
4 match source-address 10.6.185.10 255.255.255.255
5 match source-address 10.6.178.10 255.255.255.255
6 match source-address 10.6.132.2 255.255.255.255
class-map type management match-any REMOTE_ACCESS
description Remote access traffic match
4 match protocol icmp any
policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
class REMOTE_ACCESS
permit
policy-map type loadbalance first-match POLICYMAP_ENCORE_L7
class CLASS_MAP_PROXIES
serverfarm ENCORE-REDIRECT
class class-default
sticky-serverfarm ENCORE-sticky
policy-map multi-match POLICYMAP_ENCORE_L3L4
class CLASS_MAP_ENCORE-http
loadbalance vip inservice
loadbalance policy POLICYMAP_ENCORE_L7
loadbalance vip icmp-reply
class CLASS_MAP_ENCORE-https
loadbalance vip inservice
loadbalance policy POLICYMAP_ENCORE_L7
loadbalance vip icmp-reply
ssl-proxy server ENCORE_SSL_SERVER
access-group input ALL-ACCESS
interface vlan 10
description DATA_VLAN_AND_SVC_TO_ACE
ip address 10.6.9.3 255.255.255.240
service-policy input REMOTE_MGMT_ALLOW_POLICY
service-policy input POLICYMAP_ENCORE_L3L4
no shutdown
Thanks you,
Bill
05-18-2007 01:32 AM
Bill,
this is a know code issue.
CSCsh52210: Redirect rserver behind SSL proxy send the redirect string not encrypted
This is fixed in version A1(4b) and later.
Gilles.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: