Solved: Re: redirect from http to https

nasirudheen · ‎07-05-2006

Hi all,

Sorry if this is a stupid question( I am very new to CSS and could not find much doc ).

I am testing CSS and have configured CSS for SSL termination for my linux server with apache sitting behind CSS 11500. It works fine. for example when I give https://pirana.cohort.org from a client machine, it works. But when I give http://pirana.cohort.org the browser displays "400 Bad request" and asks me to use https://pirana.cohort.org instead. Now, my question is , how do I configure CSS so that all requests to http://pirana.cohort.org (i.e at port 80) is automatically forwarded to https://pirana.cohort.org (at port 443). After going through the docs, I found urlrewrite option and its still not working. Please note that there is no service running on port 80 of that linux box.

here is the relevant info

!*********************** SSL PROXY LIST ***********************

ssl-proxy-list 10

ssl-server 10

ssl-server 10 vip address 192.168.10.3

ssl-server 10 rsacert cacert.pem

ssl-server 10 rsakey cakey.pem

ssl-server 10 cipher rsa-export1024-with-des-cbc-sha 192.168.10.3 443

ssl-server 10 cipher rsa-export-with-rc4-40-md5 192.168.10.3 443 weight 5

ssl-server 10 urlrewrite 22 pirana.cohort.org sslport 443 clearport 80

description "This is the SSL list for pirana.cohort.org "

active

service ssl_srv1

add ssl-proxy-list 10

ip address 172.16.1.160

protocol tcp

port 443

active

!*************************** OWNER ***************************

owner locator

owner ssl1

content ssl_rule1

vip address 192.168.10.3

add service ssl_srv1

application ssl

advanced-balance url

string prefix "mycookie="

protocol tcp

port 443

active

content ssl_rule2

add service ssl_srv1

vip address 192.168.10.3

url "//pirana.cohort.org/*"

redirect "redirect for port 80"

protocol tcp

port 80

active

Could some one please advice me how to proceed to achieve this ? Any help would be greatly appreciated.

Regards,

Nasir

skumar1969 · ‎07-07-2006

Nasir,

For the port 80 to port 443 redirection use the following config after removing your own redirection rule you got in your orginal config. url-rewrite is for someother purpose. Take a scanario like you use ssl in the front and clear http at the back, the browser prompts you that it enters into a non-secured region from the secured region. If you don't want to see the browser prompt, use 'url-rewrite'.

!************************** SERVICE **************************

service secure-transfer

ip address 2.2.2.2

keepalive type none

type redirect

no prepend-http

redirect-string "https://pirana.cohort.org"

active

!*************************** OWNER ***************************

owner ssl1

content default-redirect

vip address 192.168.10.3

protocol tcp

port 80

url "/*"

add service secure-transfer

active

Hope this will solve the issue.

thanks

View solution in original post

skumar1969 · ‎07-14-2006

Nasir,

I know you are using a bridge topology meaning one single ip subnet for both server & client side as well. Servers(CSS services) to have IP addresses same range as the Contnet Rule VIPs.

So, for content testct change the VIP address to the one you find not used elseware.

The CRule and the Source groups (under which the 'add destination sercvice' command to be placed) should have the same VIP address configured. Please correct this in my earlier config I gave.

More details, refer the following link.

CSS Load Balancing Using One Interface Configuration Example

http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_configuration_example09186a0080093dff.shtml

thanks

View solution in original post

skumar1969 · ‎07-07-2006

Nasir,

For the port 80 to port 443 redirection use the following config after removing your own redirection rule you got in your orginal config. url-rewrite is for someother purpose. Take a scanario like you use ssl in the front and clear http at the back, the browser prompts you that it enters into a non-secured region from the secured region. If you don't want to see the browser prompt, use 'url-rewrite'.

!************************** SERVICE **************************

service secure-transfer

ip address 2.2.2.2

keepalive type none

type redirect

no prepend-http

redirect-string "https://pirana.cohort.org"

active

!*************************** OWNER ***************************

owner ssl1

content default-redirect

vip address 192.168.10.3

protocol tcp

port 80

url "/*"

add service secure-transfer

active

Hope this will solve the issue.

thanks

nasirudheen · ‎07-10-2006

Thanx a lot for your reply. Now I have another (but different ) question. If you could, please give me an answer.

Is there any option which I can use just to let every request just "pass through" if it DOES NOT match any configured rule. For example, in my set up , I have a pix firewall and then CSS then Server Farm like follows,

PIX ---> CSS ---> Servers

Now PIX should pass everything (after the filering) to the CSS. And CSS should try to match it against the configured rules. If it doesn't match, then it should just "forward" to the server(as per the IP/URL in the incoming packet). Is this possible? if so, what is the way to do it ? Please help me out and thanx again for your time.

Regards,

Nasir

skumar1969 · ‎07-10-2006

Nasir,

If it is a clear http traffic this is pretty simple to do. If you want to achieve through SSL, you can still do it though its bit complex. Same technique mentioned below, but you would use the backend Content rules for this purpose.

Create more than one Content Rule(CR) and on each CR mention the exact url. On one CR just don't mention the url that means you are implicitly allowing all urls that were not matched by the above CRs configured. See below. Think of the router, how the routing table entries and are used. The idea is that 'most specific match' used first for forwarding the traffic.

owner locator

content rule1

add service srv1

vip address 192.168.10.3

url "//pirana.cohort.org/test1/*"

protocol tcp

port 80

active

content rule2

add service srv1

vip address 192.168.10.3

url "//pirana.cohort.org/test2/*"

protocol tcp

port 80

active

content rule3

add service srv1

vip address 192.168.10.3

protocol tcp

port 80

active

Hope this would help you.

Thanks

nasirudheen · ‎07-13-2006

Hi Skumar,

Thanx indeed again for your help. But I think I would elaborate a bit on my exact requirement. My network diagram is as follows,

PIX ---> CSS ---> SERVERS

Relevant info

Pix

External IP - X.X.100.59

Internal IP - 10.16.2.1

Servers

IP - 10.16.2.0 range(10.16.2.11, 10.16.2.13 etc)

CSS

Circuit VLAN1 IP - 10.16.2.2

Requirement:

Pix should pass everything to CSS(of course after proper filtering only). Then Whatever CSS gets, it should compare against the content rule and should do the either of these 2

1. If it matches against any content rule. It should forward it accordingly.

2. If it DOES NOT match against any content rule. It should simply forward the traffic to the original server as if it had not even seen the packet.

The first part is working fine. The second part is NOT working. Let me explain it with the help of an exmaple. I have a Nat/access rules configured to nat every request to port 1000 of the PIX public IP (X.X.138.59) to port 8080 of 10.16.2.13. In my CSS(just for testing) I added a rule to pass everything which comes to 10.16.2.13 port 8080 to pass to 10.16.2.11 port 9000. This works fine. Now I have another Nat/access rule in PIX to redirect every request to port 80 of X.X.138.59 to nat/permit to 10.16.2.11 port 80. Now my question is how to get the request to 10.16.2.11 port 80 (as translated by PIX) be passed through CSS to 10.16.2.11? what is the configuration needed for this? I understand that my CSS set up is in bride mode. Will it have any problem ? what is the difference between bridge mode router ?I would really appreciate if you could give me any suggestion or answer for these as I could not find any documenation for CSS other than the official guides which could not answer my questions(atleast in my reading)

this is my relevant show run output from CSS

!************************** SERVICE **************************

service app1

protocol tcp

port 9000

ip address 10.16.2.11

active

!*************************** OWNER ***************************

owner ssl1

owner wap

owner web

content testct

add service app1

vip address 10.16.2.13

protocol tcp

port 8080

active

!*************************** GROUP ***************************

group mynat

add destination service app1

vip address 10.16.2.100

active

Regards,

Nasir

skumar1969 · ‎07-13-2006

Nasir,

The config I given below should work for your new requirement.

If you ask me what is the difference between the routing and bridging topology, read my other reply under subject name as "Group configuration in CSS"

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Networking%20Solutions&topic=Content%20Networking&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1ddba982

!************************** SERVICE **************************

service app1

protocol tcp

port 9000

ip address 10.16.2.xx -----> Server ip address

active

!*************************** OWNER ***************************

owner ssl1

owner wap

owner web

content testct

add service app1

vip address 10.16.2.11

protocol tcp

port 80

active

!*************************** GROUP ***************************

group mynat

add destination service app1

vip address 10.16.2.100

active

thanks

nasirudheen · ‎07-14-2006

Kumar,

I truly appreciate your willingness to help me ! But unfortunately my problem is not solved yet. In the configuartion you mentioned there is only difference from that of my exisiting one. That is under "content testct" vip address is 10.16.2.11(app1 machine) in your configuration. But in my (existing) configuration, its 10.16.2.13(app2 machine). Now I tried to change it to 10.16.2.11 and its giving one error as follows,

CSS11501(config-owner-content[web-testct])# vip address 10.16.2.11

%% VIP address conflicts with local I/F,service,APP, or mgmt route

I will just brief my requirement again. Whatever request comes from clients (through PIX) to the CSS, it should try to match against the rules and if not match occurs, it should simply forward it to the server address and port specified in the request.

I am really lost at this point . Please suggest me what to do.

Regards,

Nasir

skumar1969 · ‎07-14-2006

Nasir,

I know you are using a bridge topology meaning one single ip subnet for both server & client side as well. Servers(CSS services) to have IP addresses same range as the Contnet Rule VIPs.

So, for content testct change the VIP address to the one you find not used elseware.

The CRule and the Source groups (under which the 'add destination sercvice' command to be placed) should have the same VIP address configured. Please correct this in my earlier config I gave.

More details, refer the following link.

CSS Load Balancing Using One Interface Configuration Example

http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_configuration_example09186a0080093dff.shtml

thanks

nasirudheen · ‎07-19-2006

Kumar,

Thanx a lot for your help. In fact the material you pointed out is just what I was looking for(its funny that it eluded all my googling :-) . Now its working and I was testing it. So far so good.If there is anything more I will disturb you again.

Thanx again

Nasir