Solved: ACE30 url redirect

lliska · ‎12-19-2011

Hi everyone,

I have a problem configuring URL redirect on ACE 30 (Version A4(1.0)).

When a user enters IP address or a name of a service (http://aa.bb.cc or https://aa.bb.cc), the ACE module should redirect him to the page https://aa.bb.cc/logonpage. Here is my non-working config:

access-list OUTSIDE line 8 extended permit tcp any any eq https
access-list OUTSIDE line 16 extended permit tcp any any eq www
access-list OUTSIDE line 24 extended permit icmp any any

probe http Test_HTTP_1
port 80
interval 60
passdetect interval 30
passdetect count 2
request method head url /index.html
expect status 200 200
open 1

rserver redirect URL_Redirect_01
webhost-redirection https://aa.bb.cc/logonpage 302
inservice
rserver host S1
ip address 10.0.0.2

inservice
rserver host S2
ip address 10.0.0.3

inservice
rserver host S3
ip address 10.0.0.4
inservice

serverfarm redirect URL_Redirect_Farm
rserver URL_Redirect_01
inservice

serverfarm host SF1
probe Test_HTTP_1
rserver S1
    conn-limit max 9000 min 9000
    inservice
rserver S2
    conn-limit max 9000 min 9000
    inservice
rserver S3
    conn-limit max 9000 min 9000
    inservice

sticky ip-netmask 255.255.255.255 address source STICKYGROUP1
timeout 600
replicate sticky
serverfarm SF1

class-map match-any L4VIPCLASS
2 match virtual-address 1.1.1.10 tcp eq https
3 match virtual-address 1.1.1.10 tcp eq www

class-map type http loadbalance match-all FULL_URL
2 match http url https://%h/logonpage

policy-map type loadbalance first-match L7POLICY
class FULL_URL
sticky-serverfarm STICKYGROUP1
class class-default
serverfarm URL_Redirect_Farm

policy-map multi-match VIPPOLICY
class L4VIPCLASS
    loadbalance vip inservice
    loadbalance policy L7POLICY
    loadbalance vip icmp-reply
    nat dynamic 1 vlan 200

interface vlan 100
description OUTSIDE
ip address 1.1.1.2 255.255.255.0
access-group input OUTSIDE
service-policy input VIPPOLICY
no shutdown

interface vlan 200
description INSIDE
ip address 2.2.2.2 255.255.255.0
nat-pool 1 2.2.2.10 2.2.2.10 netmask 255.255.255.255 pat
no shutdown

ip route 0.0.0.0 0.0.0.0 1.1.1.1
ip route 10.0.0.0 255.0.0.0 2.2.2.1

Without redirection, only with:

policy-map type loadbalance first-match L7POLICY

class class-default

sticky-serverfarm STICKYGROUP1

it works, ACE load balances to rservers. Of course, user must enter full url.

With redirection configured, user recieves HTTP url redirect message with correct address https://aa.bb.cc/logonpage, but his browser does not display the page. Even directly entered full url does not display it while redirection is configured.

Alternatively, does ACE30 already support url rewrite?

Please help.

Thank you,

Lubomir

Surya ARBY · ‎12-20-2011

Is your target "https://aa.bb.cc/logonpage" hosted behind the same VIP on the ACE ?

Your specific rule is related to your class-map and the general rule is to send the redirect. It can't work as you may go into an infinite loop.

Can you explain exactly the behaviour you want ?

When I read this :

When a user enters IP address or a name of a service (http://aa.bb.cc or https://aa.bb.cc), the ACE module should redirect him to the page https://aa.bb.cc/logonpage

You have to define two virtual servers : one for HTTP where there only one rule : a redirect serverfarm in class-default

for HTTPS, SSL termination is mandatory but if you match anything except "/logonpage" you'll fall into an infinite loop at the next request.

The URL you have to match is just "/" to trigger the redirection (the request sent by the client is just "GET /" when he types the ip address or the name ONLY in the browser bar.

Don't forget to enable SSL rewrite if your backend application uses 302 redirect after the logon page. Otherwise you'll also fall into an infinite redirection loop.

View solution in original post

Surya ARBY · ‎12-19-2011

Can you give some live http header traces ?

Also your

class-map type http loadbalance match-all FULL_URL

is wrong.

lliska · ‎12-19-2011

Hi,

What is wrong on FULL_URL class map? I tried several variants, none of them is working:

https://aa.bb.cc/logonpage

https://%h%p/logonpage

/logonpage

https://1.1.1.10/logonpage

Thank you,

L.

Surya ARBY · ‎12-19-2011

class-map type http loadbalance match-all xxx-CM

2 match http url /url-path/.*

lliska · ‎12-19-2011

No luck, I used:

/logonpage/.*

/aa.bb.cc/logonpage/.*

Please specify the exact text for my conditions.

Thank you.

jsirstin · ‎12-19-2011

If you are testing with https traffic this will not work. You are not terminating SSL so all traffic is encrypted and the ACE will not be able to match any L7 data. Can you test with http traffic, or try configuring SSL termination and test again.

Regards
Jim

lliska · ‎12-19-2011

Hi Jim,

removing SSL from ACE30 config did not help. The rserver is configured to change the communication to https and probably this does not match ACE config.

But I do not need ACE to inspect encrypted messages, I want it to simply balance. It should see url in unencrypted form, doesn't it? When I am not using redirect (sticky-serverfarm STICKYGROUP1 under class class-default), the SSL communication goes end-to-end between client and server without problems.

I also tried to configure SSL termination (client to ACE) and initiation (ACE to rserver). Everything works, until I use redirect. Without redirect, when I type full url https://aa.bb.cc/logonpage to my browser, I receive ACE's certificate, and we establish the SSL connection. ACE also establish another SSL connection to rserver. Client gets correct log-on window.

But when I configure redirect, it does not work...