Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
939
Views
0
Helpful
7
Replies

Https header rewrite

tonesco01
Level 1
Level 1

‎04-10-2012 07:34 AM

Guys,

I need to setup ACE to do the below:

The client will call a url: https://server1.com.br

   - Ace will terminate this ssl with a certificate of my internal ca imported to ACE;

Then, I need ACE to rewrite the url to https://host01.com.br/appl using a certificate generated by the Application Server and also imported to ACE.

It's possible?

Labels:
0 Helpful
7 Replies 7

Borys Berlog
Cisco Employee
Cisco Employee

‎04-11-2012 02:05 AM

Hi

If you mean that user will type https://server1.com.br , this request will get terminated on ACE and then ACE will initiate connection to rserver but with url https://host01.com.br/app - no, it's not possible, ACE doesn't operate with url.

I'm not sure what exactly you want to acheive, but these are possibilities which are coming to my mind first :

- you can change fields in HTTP header (e.g. Host field)

- you can setup a redirect serverfarm which will redirect user to https://host01.com.br/app when he tries to access https://server1.com.br. It works as a simple HTTP redirect, so you'd need to have a separate VIP for this new connection

0 Helpful

parveesm123
Level 1
Level 1

‎04-11-2012 03:03 AM

Hi wallace,

are you looking for END to END SSL implementation?

CLIENT->ACE (one cert) then ACE-> SERVER another certificate?

where ACE will act as SSL client?

this way , https: from the server can be offloaded from ace ( when accessing from the client ) and then

forward the same HTTPS request to the server , but ACE will carry the certificate or it will act as a client where it will carry the certficate of the server.

is this what you are looking for , i am still not clear about your requirement.

-PMD

0 Helpful

tonesco01
Level 1
Level 1
In response to parveesm123

‎04-11-2012 04:20 AM

Hi parveesm123 and Borys Berlog ,

The implementation is like this:

The client will request an url in https that will be pointed to a Vip in ACE. This request will use a certificate, so, one certificate from the client to ACE. The match is only layer 3 in this policy-map. then ACE should open a connection to the rserver, but using https with another certificate, and rewriting the https header, from https://server1.com.br to https://host01.com.br/app. I think ace should act as a client in this connection.

The question is:
ACE can open this connection to the rserver using another certificate, different from the ssl termination?
And how could I do this https header rewrite?
If you need the running config of this implemetation, I can upload.

Thanks for the attention

0 Helpful

Borys Berlog
Cisco Employee
Cisco Employee
In response to tonesco01

‎04-11-2012 04:32 AM

So, you have client authentication cofigured on your real server ? (I mean , very often HTTPS  only uses certificate on server side)

If yes - no problem you can configure  such type of SSL initiation too, however we can rewrite http header but we can't change URL (and https://server1.com.br to https://host01.com.br/app are URLs)

Example of HTTP header and some small explanations :

http://www.http.header.free.fr/http.html

And in that example you can change only these parts :

>> Host: www.http.header.free.fr
>> Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
>> Accept-Language: Fr
>> Accept-Encoding: gzip, deflate
>> User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 4.0)
>> Connection: Keep-Alive

You can't change these :

URL : "http://www.http.header.free.fr/http.html". Your browser connects to www.http.header.free.fr and sends :
>> GET /http.html Http1.1

0 Helpful

tonesco01
Level 1
Level 1
In response to Borys Berlog

‎04-11-2012 06:27 AM

Ok Borys,

I undestand the point. About the ssl initiation, could you give an example of this implementation?

0 Helpful

Borys Berlog
Cisco Employee
Cisco Employee
In response to tonesco01

‎04-11-2012 06:35 AM

This is from conf guide :

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/ssl/guide/initiate.html#wpxref83150

Basically for SSL initiation you need to have configured everything as with usual loadbalancing , just in L7 policy map you need to add :

policy-map type load firt NAME

class CLASS-NAME

ssl-proxy cleint SSL-PROXY-NAME

and have ssl-proxy configured :

ssl-proxy service SSL-PROXY-NAME

You can have it empty - in this case it will be usual server authenticated connection. You can add some client certificates and in this case ACE will use them to authenticat itself if server requests it.

0 Helpful

tonesco01
Level 1
Level 1
In response to Borys Berlog

‎04-12-2012 07:16 AM

Ok Borys,

Thanks a lot for your explanations anda help.

0 Helpful
Customers Also Viewed These Support Documents