10-13-2009 02:30 PM
Hi,
I want to configure http to https redirects on CCS 11501. Could someone guide me on how to implemet HTTPS redirect for a sub-directory.
Say I have www.xyz.com by default it goes to http, which is fine. But if someone types in http://www.xyz.com/login or http://www.xyz.com/login/secure/index.html then it should be redirected to httpS://www.xyz.com/login or http://www.xyz.com/login/secure/index.html. Basically anything in and under login directory should be HTTPS.
I have setup following but I am getting redirect loop
content DEFAULT
vip address 10.1.1.1
protocol tcp
port 80
url "/*"
add service Server1
add service Server2
advanced-balance arrowpoint-cookie
active
content SSL_RULE
protocol tcp
vip address 10.1.1.1
port 443
add service SSL_SERVICE
active
content LOGIN
vip address 10.1.1.1
protocol tcp
port 80
url "//www.xyz.com/login/*"
add service LOGIN_RD
active
==========================
service LOGIN_RD
ip address 2.2.2.2
keepalive type none
type redirect
domain https://www.xyz.com
active
service SSL_SERVICE
type ssl-accel
slot 2
add ssl-proxy-list SSL_LIST1
keepalive type none
active
I would greatly appreciate any help.
10-13-2009 08:01 PM
Your getting a redirect loop because you do not have an alternate port were the redirected traffic can be processed. The inbound request that contains "/login" will get redirected to the HTTPS equivalent however with your current configuration the connection will simply fall under the same redirect content rule and you will never resolve content correctly(redirect loop).
The following configuration will work:
content DEFAULT
vip address 10.1.1.1
protocol tcp
port 80
url "/*"
add service Server1
add service Server2
advanced-balance arrowpoint-cookie
active
content DEFAULT
vip address 10.1.1.1
protocol tcp
port 81
url "/*"
add service Server1
add service Server2
advanced-balance arrowpoint-cookie
active
content SSL_RULE
protocol tcp
vip address 10.1.1.1
port 443
add service SSL_SERVICE
active
content LOGIN
vip address 10.1.1.1
protocol tcp
port 80
url "/login*"
add service LOGIN_RD
active
==========================
service LOGIN_RD
type redirect
no prepend-http
keepalive type none
domain https://www.xyz.com
active
service SSL_SERVICE
type ssl-accel
slot 2
add ssl-proxy-list SSL_LIST1
keepalive type none
active
Update the ssl-proxy-list with an alternate port to send the decrypted traffic too.
ssl-server 1 cipher all-cipher-suites 10.1.1.1 81
I chose port 81 as the alternate decrypted port, however you can choose any other port. Please be sure that your servers are setup to accept traffic on that alternate port as well. If not, you can simply setup a NAT rule and hardset the destination port on the services to port 80. This will allow the CSS to re-write the destination port to port 80 when the decrypted traffic gets sent to the alternate port 81 content rule.
Hope this info helps.
- Jason
10-14-2009 02:19 AM
Hi jason,
Thank you for your reply. I have not tried your configuration yet but I am sure it will work. However, I do have another couple of questions:
1. Do I need to update my services (server1, Server2) to use port 81 i.e. currently they are configured as
service Server1
ip address 192.168.0.1
protocol tcp
port 80
keepalive http
uri "/"
active
do i need to update port 80 to 81 here?
2. How can i redirect port 81 to 80 on CSS if I do not want servers to listen on another port (mainly because servers are in production and I do not have access to servers and httpd will require restart). I would be more than happy to do my research and test things but unfortunately I do not have this option.
Thank you in advance.
10-14-2009 07:12 AM
Hello Muhammad,
The service configuration is correct as is. The "port 80" command within the service configuration is a NAT rule. This will always instruct the CSS to re-write the destination port to port 80.
If you were to place your services under a port 81 content rule, port 25, or any other port content rule without hard setting the port on the services they would inherit the source and destination port defined within the content rule itself.
If you run the command "sho service Server1" on the CSS you will see the entire service configuration, and how it will operate. From here you will see what I am talking about.
With your current service configuration you should see something like the following:
Rule ( 192.168.0.1 ANY 80 )
The 1st "ANY" is the source port, which the service inherits from the content rule it is placed under, and the "80" is your NAT rule that instructs the CSS to re-write the destination port to port 80. If you removed the "port 80" command from your service configuration, and ran the "sho service Server1" command again you will see the following:
Rule ( 192.168.0.1 ANY ANY )
If you want to test to see if the CSS will re-write the destination port to port 80 you can. You can create a test content rule with any port. With this example I'll use SMTP port 25. Apply one of your existing services under this rule(Server1). If you have a Windows machine open up command prompt, create a socket connection to the VIP over port 25. 1st off you wouldn't see an SMTP HELO banner displayed after creating the socket connection to the VIP over port 25, and if you still want to test type the following within the window, GET "/". You should see HTML content within your command prompt window.
- Jason
10-14-2009 07:12 AM
Hello Muhammad,
The service configuration is correct as is. The "port 80" command within the service configuration is a NAT rule. This will always instruct the CSS to re-write the destination port to port 80.
If you were to place your services under a port 81 content rule, port 25, or any other port content rule without hard setting the port on the services they would inherit the source and destination port defined within the content rule itself.
If you run the command "sho service Server1" on the CSS you will see the entire service configuration, and how it will operate. From here you will see what I am talking about.
With your current service configuration you should see something like the following:
Rule ( 192.168.0.1 ANY 80 )
The 1st "ANY" is the source port, which the service inherits from the content rule it is placed under, and the "80" is your NAT rule that instructs the CSS to re-write the destination port to port 80. If you removed the "port 80" command from your service configuration, and ran the "sho service Server1" command again you will see the following:
Rule ( 192.168.0.1 ANY ANY )
If you want to test to see if the CSS will re-write the destination port to port 80 you can. You can create a test content rule with any port. With this example I'll use SMTP port 25. Apply one of your existing services under this rule(Server1). If you have a Windows machine open up command prompt, create a socket connection to the VIP over port 25. 1st off you wouldn't see an SMTP HELO banner displayed after creating the socket connection to the VIP over port 25, and if you still want to test type the following within the window, GET "/". You should see HTML content within your command prompt window.
- Jason
10-23-2009 01:29 PM
Hi Jason,
Thank you for your help. I managed to get it all working with your help.
Rgds,
11-04-2009 12:42 PM
Hello,
Ok. It is all working three servers being load balanced for (www.xyz.com) and to 4th is a stand alone hosting forums.xyz.com.
I did not experience any issues myself but there are some external users complaining that sometimes when they browse to www.xyz.com they don't see anything with "Done" at browser bottom. When they refresh site loads as normal. (They did not have this issue before CCS)
I have enabled debug level logging and all I see are following frequent messages:
(xx.xx.xx.xx is the external user IP masked to protect the innocent :))
4 NOV 16:07:15 1/1 19608 FLOWMGR-7:
DoS SYN attack: xx.xx.xx.xx:1676->10.1.1.1:80
synCnt: 1, initSeq: 3718679720
4 NOV 16:07:51 1/1 19609 FLOWMGR-7:
DoS SYN attack: xx.xx.xx.xx:3119->10.1.1.1:81
synCnt: 1, initSeq: 342024065
4 NOV 16:07:51 1/1 19610 FLOWMGR-7:
DoS SYN attack: xx.xx.xx.xx:3122->10.1.1.1:81
synCnt: 1, initSeq: 344186757
4 NOV 16:07:51 1/1 19611 FLOWMGR-7:
DoS SYN attack: xx.xx.xx.xx:3128->10.1.1.1:81
synCnt: 1, initSeq: 356179851
4 NOV 16:07:52 1/1 19612 FLOWMGR-7:
DoS SYN attack: xx.xx.xx.xx:49196->10.1.1.1:81
synCnt: 1, initSeq: 421715861
I also see following messages (Not as frequent)
4 NOV 16:13:30 1/1 19669 WCC-7: Cookie seq number entry not found to retrieve value for flow 0x8fa0.
4 NOV 16:14:24 1/1 19674 WCC-7: Cookie seq number entry not found to retrieve value for flow 0x8fcd.
Also attached with is config and network layout doc.
Any suggestions please?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: