Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3868
Views
0
Helpful
2
Replies

Redirecting all http traffic to https when the ACE is performing SSL termination (for accessibility purposes)

Go to solution
bgfl-tech
Level 1
Level 1

‎02-25-2010 02:33 AM

Hi,

I have an ACE fronting a two Apache webserver serverfarm and performing SSL termination for the website served by the serverfarm. The entire website needs to be secure, i.e. every page needs to be https as opposed to just sub-sections or specific URLs that need to be https.

For accessibility purposes I'd like to allow inbound port 80 for the sole purpose of re-writing/re-directing the request to https, i.e. so that the page is accessible without a user having to specify the https:// prefix in a browser address bar and likewise results from search engines working (which I believe don't include the http/https prefix).

Typically we use the ACE just for load-balancing and SSL termination with web logic style functionality (re-writes/re-directs) performed by the http server tier below (mainly because of the distinction between the skills of the support teams involved - Networks vs Applications). The web app team that looks after the Apache servers has suggested having each server listening on two ports and having the ACE forward native http traffic to the Apache(s) on one port and https traffic that is terminated by the ACE and then forwarded on as http on another. The instance of Apache that plain (non-SSL terminated) http traffic is sent to could then just have a rule to forward everything to https (so a user couldn't even deliberately try and remove the 's' from https in the address bar).

My question is whether the ACE can do the same thing negating the need for the added Apache complexity?

Can the ACE simply send a re-direction back to the user everytime the http VIP is hit just changing the URL requested to https so it doesn't even have to hit the Apache server?

thanks in advance for any advice

regards

Matthew

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Sean Merrow
Level 4
Level 4

‎02-25-2010 05:23 AM

Hi Matthew,

Yes, the ACE can do what you are looking for, and I totally agree than it would reduce a lot of added complexity from the servers.  Below is an example of HTTP-to-HTTPS Redirect w/SSL Termination & HTTP-to-HTTPS Header Re-write.  The header re-write is cool since the backend servers are listening on port 80 (or some clear-text port), if they send a redirect for some reason, the ACE will even re-write the Location header of the 301 or 302 redirect to use HTTPS.

With the example config below, clients that connect to the VIP on port 80 (HTTP) will be redirected to the same FQDN and path using port 443 (HTTPS).  Clients will then open an HTTPS session to the ACE where the SSL session will be terminated and load balanced to the real servers in clear-text on port 80 (HTTP).  The HTTP-to-HTTPS redirect in this example is a 301 redirect (permanent).  The 301 can be either removed or changed to 302 to revert to the default of a temporary redirect.

If your ACE is running A2 software or higher for the module, or A3 software or higher for the 4700 appliance, then you can also include the necessary configuration for HTTP-to-HTTPS redirect location header re-write.

HTTP-to-HTTPS Redirect Configuration

SSL Termination Configuration

HTTP-to-HTTPS Redirect Location Header Re-Write

Example Config

access-list ANYONE line 10 extended permit ip any any

probe http HTTP-KEEPALIVE

  interval 5

  faildetect 3

  passdetect interval 5

  passdetect count 2

  request method get url /keepalive.html

expect status 200 200

rserver redirect REDIRECT-TO-HTTPS

webhost-redirection https://%h%p 301

inservice

rserver host SERVER_01

  ip address 10.10.10.20

  inservice

rserver host SERVER_02

  ip address 10.10.10.21

  inservice

action-list type modify http REWRITE

  ssl url rewrite location www\.cisco\.* sslport 443 clearport 80

serverfarm redirect REDIRECT-SERVERFARM

rserver REDIRECT-TO-HTTPS

inservice

serverfarm host REAL_SERVERS

  probe HTTP-KEEPALIVE

  rserver SERVER_01 80

    inservice

  rserver SERVER_02 80

    inservice

ssl-proxy service SSL_SERVICE

  key mykey.pem

  cert mycert.pem

class-map match-all HTTP-VIP

  2 match virtual-address 172.21.162.178 tcp eq http

class-map match-all HTTPS-VIP

  2 match virtual-address 172.21.162.178 tcp eq https

class-map type management match-any MANAGEMENT

  2 match protocol icmp any

  3 match protocol telnet any

policy-map type management first-match REMOTE_MGT

  class MANAGEMENT

    permit

policy-map type loadbalance first-match REDIRECT-PM

  class class-default

    serverfarm REDIRECT-SERVERFARM

policy-map type loadbalance first-match LOAD-BALANCE-PM

  class class-default

    serverfarm REAL-SERVERS

    action REWRITE

policy-map multi-match WEB-TRAFFIC

  class HTTP-VIP

    loadbalance vip inservice

    loadbalance policy REDIRECT-PM

  class HTTPS-VIP

    loadbalance vip inservice

    loadbalance policy LOAD-BALANCE-PM

    loadbalance vip icmp-reply active

    ssl-proxy server SSL_SERVICE

interface vlan 200

  ip address 172.21.162.10 255.255.255.0

  access-group input ANYONE

  service-policy input REMOTE_MGT

  service-policy input WEB-TRAFFIC

  no shutdown

interface vlan 201

  ip address 10.10.10.1 255.255.0.0

  no shutdown

ip

route 0.0.0.0 0.0.0.0 172.21/162.1

You can find more information on SSL termination here, and more information on the redirects here.

Hope this helps,

Sean

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Sean Merrow
Level 4
Level 4

‎02-25-2010 05:23 AM

Hi Matthew,

Yes, the ACE can do what you are looking for, and I totally agree than it would reduce a lot of added complexity from the servers.  Below is an example of HTTP-to-HTTPS Redirect w/SSL Termination & HTTP-to-HTTPS Header Re-write.  The header re-write is cool since the backend servers are listening on port 80 (or some clear-text port), if they send a redirect for some reason, the ACE will even re-write the Location header of the 301 or 302 redirect to use HTTPS.

With the example config below, clients that connect to the VIP on port 80 (HTTP) will be redirected to the same FQDN and path using port 443 (HTTPS).  Clients will then open an HTTPS session to the ACE where the SSL session will be terminated and load balanced to the real servers in clear-text on port 80 (HTTP).  The HTTP-to-HTTPS redirect in this example is a 301 redirect (permanent).  The 301 can be either removed or changed to 302 to revert to the default of a temporary redirect.

If your ACE is running A2 software or higher for the module, or A3 software or higher for the 4700 appliance, then you can also include the necessary configuration for HTTP-to-HTTPS redirect location header re-write.

HTTP-to-HTTPS Redirect Configuration

SSL Termination Configuration

HTTP-to-HTTPS Redirect Location Header Re-Write

Example Config

access-list ANYONE line 10 extended permit ip any any

probe http HTTP-KEEPALIVE

  interval 5

  faildetect 3

  passdetect interval 5

  passdetect count 2

  request method get url /keepalive.html

expect status 200 200

rserver redirect REDIRECT-TO-HTTPS

webhost-redirection https://%h%p 301

inservice

rserver host SERVER_01

  ip address 10.10.10.20

  inservice

rserver host SERVER_02

  ip address 10.10.10.21

  inservice

action-list type modify http REWRITE

  ssl url rewrite location www\.cisco\.* sslport 443 clearport 80

serverfarm redirect REDIRECT-SERVERFARM

rserver REDIRECT-TO-HTTPS

inservice

serverfarm host REAL_SERVERS

  probe HTTP-KEEPALIVE

  rserver SERVER_01 80

    inservice

  rserver SERVER_02 80

    inservice

ssl-proxy service SSL_SERVICE

  key mykey.pem

  cert mycert.pem

class-map match-all HTTP-VIP

  2 match virtual-address 172.21.162.178 tcp eq http

class-map match-all HTTPS-VIP

  2 match virtual-address 172.21.162.178 tcp eq https

class-map type management match-any MANAGEMENT

  2 match protocol icmp any

  3 match protocol telnet any

policy-map type management first-match REMOTE_MGT

  class MANAGEMENT

    permit

policy-map type loadbalance first-match REDIRECT-PM

  class class-default

    serverfarm REDIRECT-SERVERFARM

policy-map type loadbalance first-match LOAD-BALANCE-PM

  class class-default

    serverfarm REAL-SERVERS

    action REWRITE

policy-map multi-match WEB-TRAFFIC

  class HTTP-VIP

    loadbalance vip inservice

    loadbalance policy REDIRECT-PM

  class HTTPS-VIP

    loadbalance vip inservice

    loadbalance policy LOAD-BALANCE-PM

    loadbalance vip icmp-reply active

    ssl-proxy server SSL_SERVICE

interface vlan 200

  ip address 172.21.162.10 255.255.255.0

  access-group input ANYONE

  service-policy input REMOTE_MGT

  service-policy input WEB-TRAFFIC

  no shutdown

interface vlan 201

  ip address 10.10.10.1 255.255.0.0

  no shutdown

ip

route 0.0.0.0 0.0.0.0 172.21/162.1

You can find more information on SSL termination here, and more information on the redirects here.

Hope this helps,

Sean

0 Helpful

Go to solution
bgfl-tech
Level 1
Level 1
In response to Sean Merrow

‎02-25-2010 09:02 AM

Hi Sean,

Thanks for such a detailed answer. Exactly what I was looking for.

Many thanks

Matthew

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents