Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Https header rewrite

Guys,

I need to setup ACE to do the below:

The client will call a url: https://server1.com.br

   - Ace will terminate this ssl with a certificate of my internal ca imported to ACE;

Then, I need ACE to rewrite the url to https://host01.com.br/appl using a certificate generated by the Application Server and also imported to ACE.

It's possible?

7 REPLIES
Cisco Employee

Https header rewrite

Hi

If you mean that user will type https://server1.com.br , this request will get terminated on ACE and then ACE will initiate connection to rserver but with url https://host01.com.br/app - no, it's not possible, ACE doesn't operate with url.

I'm not sure what exactly you want to acheive, but these are possibilities which are coming to my mind first :

- you can change fields in HTTP header (e.g. Host field)

- you can setup a redirect serverfarm which will redirect user to https://host01.com.br/app when he tries to access https://server1.com.br. It works as a simple HTTP redirect, so you'd need to have a separate VIP for this new connection

New Member

Https header rewrite

Hi wallace,

are you looking for END to END SSL implementation?

CLIENT->ACE (one cert) then ACE-> SERVER another certificate?

where ACE will act as SSL client?

this way , https: from the server can be offloaded from ace ( when accessing from the client ) and then

forward the same HTTPS request to the server , but ACE will carry the certificate or it will act as a client where it will carry the certficate of the server.

is this what you are looking for , i am still not clear about your requirement.

-PMD

New Member

Https header rewrite

Hi parveesm123 and Borys Berlog ,

The implementation is like this:

The client will request an url in https that will be pointed to a Vip in ACE. This request will use a certificate, so, one certificate from the client to ACE. The match is only layer 3 in this policy-map. then ACE should open a connection to the rserver, but using https with another certificate, and rewriting the https header, from https://server1.com.br to https://host01.com.br/app. I think ace should act as a client in this connection.

The question is:
ACE can open this connection to the rserver using another certificate, different from the ssl termination?
And how could I do this https header rewrite?
If you need the running config of this implemetation, I can upload.

Thanks for the attention

Cisco Employee

Https header rewrite

So, you have client authentication cofigured on your real server ? (I mean , very often HTTPS  only uses certificate on server side)

If yes - no problem you can configure  such type of SSL initiation too, however we can rewrite http header but we can't change URL (and https://server1.com.br to https://host01.com.br/app are URLs)

Example of HTTP header and some small explanations :

http://www.http.header.free.fr/http.html

And in that example you can change only these parts :

>> Host: www.http.header.free.fr
>> Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
>> Accept-Language: Fr
>> Accept-Encoding: gzip, deflate
>> User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 4.0)
>> Connection: Keep-Alive

You can't change these :

URL : "http://www.http.header.free.fr/http.html". Your browser connects to www.http.header.free.fr and sends :
>> GET /http.html Http1.1

New Member

Https header rewrite

Ok Borys,

I undestand the point. About the ssl initiation, could you give an example of this implementation?

Cisco Employee

Https header rewrite

This is from conf guide :

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/ssl/guide/initiate.html#wpxref83150

Basically for SSL initiation you need to have configured everything as with usual loadbalancing , just in L7 policy map you need to add :

policy-map type load firt NAME

class CLASS-NAME

ssl-proxy cleint SSL-PROXY-NAME

and have ssl-proxy configured :

ssl-proxy service SSL-PROXY-NAME

You can have it empty - in this case it will be usual server authenticated connection. You can add some client certificates and in this case ACE will use them to authenticat itself if server requests it.

New Member

Https header rewrite

Ok Borys,

Thanks a lot for your explanations anda help.

499
Views
0
Helpful
7
Replies
CreatePlease login to create content