12-19-2011 06:19 AM
Hi everyone,
I have a problem configuring URL redirect on ACE 30 (Version A4(1.0)).
When a user enters IP address or a name of a service (http://aa.bb.cc or https://aa.bb.cc), the ACE module should redirect him to the page https://aa.bb.cc/logonpage. Here is my non-working config:
access-list OUTSIDE line 8 extended permit tcp any any eq https
access-list OUTSIDE line 16 extended permit tcp any any eq www
access-list OUTSIDE line 24 extended permit icmp any any
probe http Test_HTTP_1
port 80
interval 60
passdetect interval 30
passdetect count 2
request method head url /index.html
expect status 200 200
open 1
rserver redirect URL_Redirect_01
webhost-redirection https://aa.bb.cc/logonpage 302
inservice
rserver host S1
ip address 10.0.0.2
inservice
rserver host S2
ip address 10.0.0.3
inservice
rserver host S3
ip address 10.0.0.4
inservice
serverfarm redirect URL_Redirect_Farm
rserver URL_Redirect_01
inservice
serverfarm host SF1
probe Test_HTTP_1
rserver S1
conn-limit max 9000 min 9000
inservice
rserver S2
conn-limit max 9000 min 9000
inservice
rserver S3
conn-limit max 9000 min 9000
inservice
sticky ip-netmask 255.255.255.255 address source STICKYGROUP1
timeout 600
replicate sticky
serverfarm SF1
class-map match-any L4VIPCLASS
2 match virtual-address 1.1.1.10 tcp eq https
3 match virtual-address 1.1.1.10 tcp eq www
class-map type http loadbalance match-all FULL_URL
2 match http url https://%h/logonpage
policy-map type loadbalance first-match L7POLICY
class FULL_URL
sticky-serverfarm STICKYGROUP1
class class-default
serverfarm URL_Redirect_Farm
policy-map multi-match VIPPOLICY
class L4VIPCLASS
loadbalance vip inservice
loadbalance policy L7POLICY
loadbalance vip icmp-reply
nat dynamic 1 vlan 200
interface vlan 100
description OUTSIDE
ip address 1.1.1.2 255.255.255.0
access-group input OUTSIDE
service-policy input VIPPOLICY
no shutdown
interface vlan 200
description INSIDE
ip address 2.2.2.2 255.255.255.0
nat-pool 1 2.2.2.10 2.2.2.10 netmask 255.255.255.255 pat
no shutdown
ip route 0.0.0.0 0.0.0.0 1.1.1.1
ip route 10.0.0.0 255.0.0.0 2.2.2.1
Without redirection, only with:
policy-map type loadbalance first-match L7POLICY
class class-default
sticky-serverfarm STICKYGROUP1
it works, ACE load balances to rservers. Of course, user must enter full url.
With redirection configured, user recieves HTTP url redirect message with correct address https://aa.bb.cc/logonpage, but his browser does not display the page. Even directly entered full url does not display it while redirection is configured.
Alternatively, does ACE30 already support url rewrite?
Please help.
Thank you,
Lubomir
Solved! Go to Solution.
12-20-2011 12:12 AM
Is your target "https://aa.bb.cc/logonpage" hosted behind the same VIP on the ACE ?
Your specific rule is related to your class-map and the general rule is to send the redirect. It can't work as you may go into an infinite loop.
Can you explain exactly the behaviour you want ?
When I read this :
When a user enters IP address or a name of a service (http://aa.bb.cc or https://aa.bb.cc), the ACE module should redirect him to the page https://aa.bb.cc/logonpage
You have to define two virtual servers : one for HTTP where there only one rule : a redirect serverfarm in class-default
for HTTPS, SSL termination is mandatory but if you match anything except "/logonpage" you'll fall into an infinite loop at the next request.
The URL you have to match is just "/" to trigger the redirection (the request sent by the client is just "GET /" when he types the ip address or the name ONLY in the browser bar.
Don't forget to enable SSL rewrite if your backend application uses 302 redirect after the logon page. Otherwise you'll also fall into an infinite redirection loop.
12-19-2011 12:26 PM
Can you give some live http header traces ?
Also your
class-map type http loadbalance match-all FULL_URL
is wrong.
12-19-2011 12:54 PM
Hi,
What is wrong on FULL_URL class map? I tried several variants, none of them is working:
/logonpage
Thank you,
L.
12-19-2011 01:01 PM
class-map type http loadbalance match-all xxx-CM
2 match http url /url-path/.*
12-19-2011 01:19 PM
No luck, I used:
/logonpage/.*
/aa.bb.cc/logonpage/.*
Please specify the exact text for my conditions.
Thank you.
12-19-2011 01:52 PM
If you are testing with https traffic this will not work. You are not terminating SSL so all traffic is encrypted and the ACE will not be able to match any L7 data. Can you test with http traffic, or try configuring SSL termination and test again.
Regards
Jim
12-19-2011 03:18 PM
Hi Jim,
removing SSL from ACE30 config did not help. The rserver is configured to change the communication to https and probably this does not match ACE config.
But I do not need ACE to inspect encrypted messages, I want it to simply balance. It should see url in unencrypted form, doesn't it? When I am not using redirect (sticky-serverfarm STICKYGROUP1 under class class-default), the SSL communication goes end-to-end between client and server without problems.
I also tried to configure SSL termination (client to ACE) and initiation (ACE to rserver). Everything works, until I use redirect. Without redirect, when I type full url https://aa.bb.cc/logonpage to my browser, I receive ACE's certificate, and we establish the SSL connection. ACE also establish another SSL connection to rserver. Client gets correct log-on window.
But when I configure redirect, it does not work...
Thank you.
12-20-2011 12:12 AM
Is your target "https://aa.bb.cc/logonpage" hosted behind the same VIP on the ACE ?
Your specific rule is related to your class-map and the general rule is to send the redirect. It can't work as you may go into an infinite loop.
Can you explain exactly the behaviour you want ?
When I read this :
When a user enters IP address or a name of a service (http://aa.bb.cc or https://aa.bb.cc), the ACE module should redirect him to the page https://aa.bb.cc/logonpage
You have to define two virtual servers : one for HTTP where there only one rule : a redirect serverfarm in class-default
for HTTPS, SSL termination is mandatory but if you match anything except "/logonpage" you'll fall into an infinite loop at the next request.
The URL you have to match is just "/" to trigger the redirection (the request sent by the client is just "GET /" when he types the ip address or the name ONLY in the browser bar.
Don't forget to enable SSL rewrite if your backend application uses 302 redirect after the logon page. Otherwise you'll also fall into an infinite redirection loop.
12-20-2011 02:07 AM
Great hint, Surya,
you got it. Configuring second VIP just for HTTP and redirect solved the problem.
Thank you very much for your help and effort!
Best regards,
Lubomir
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide