02-25-2010 02:33 AM
Hi,
I have an ACE fronting a two Apache webserver serverfarm and performing SSL termination for the website served by the serverfarm. The entire website needs to be secure, i.e. every page needs to be https as opposed to just sub-sections or specific URLs that need to be https.
For accessibility purposes I'd like to allow inbound port 80 for the sole purpose of re-writing/re-directing the request to https, i.e. so that the page is accessible without a user having to specify the https:// prefix in a browser address bar and likewise results from search engines working (which I believe don't include the http/https prefix).
Typically we use the ACE just for load-balancing and SSL termination with web logic style functionality (re-writes/re-directs) performed by the http server tier below (mainly because of the distinction between the skills of the support teams involved - Networks vs Applications). The web app team that looks after the Apache servers has suggested having each server listening on two ports and having the ACE forward native http traffic to the Apache(s) on one port and https traffic that is terminated by the ACE and then forwarded on as http on another. The instance of Apache that plain (non-SSL terminated) http traffic is sent to could then just have a rule to forward everything to https (so a user couldn't even deliberately try and remove the 's' from https in the address bar).
My question is whether the ACE can do the same thing negating the need for the added Apache complexity?
Can the ACE simply send a re-direction back to the user everytime the http VIP is hit just changing the URL requested to https so it doesn't even have to hit the Apache server?
thanks in advance for any advice
regards
Matthew
Solved! Go to Solution.
02-25-2010 05:23 AM
Hi Matthew,
Yes, the ACE can do what you are looking for, and I totally agree than it would reduce a lot of added complexity from the servers. Below is an example of HTTP-to-HTTPS Redirect w/SSL Termination & HTTP-to-HTTPS Header Re-write. The header re-write is cool since the backend servers are listening on port 80 (or some clear-text port), if they send a redirect for some reason, the ACE will even re-write the Location header of the 301 or 302 redirect to use HTTPS.
With the example config below, clients that connect to the VIP on port 80 (HTTP) will be redirected to the same FQDN and path using port 443 (HTTPS). Clients will then open an HTTPS session to the ACE where the SSL session will be terminated and load balanced to the real servers in clear-text on port 80 (HTTP). The HTTP-to-HTTPS redirect in this example is a 301 redirect (permanent). The 301 can be either removed or changed to 302 to revert to the default of a temporary redirect.
If your ACE is running A2 software or higher for the module, or A3 software or higher for the 4700 appliance, then you can also include the necessary configuration for HTTP-to-HTTPS redirect location header re-write.
HTTP-to-HTTPS Redirect Configuration
SSL Termination Configuration
HTTP-to-HTTPS Redirect Location Header Re-Write
Example Config
access-list ANYONE line 10 extended permit ip any any
probe http HTTP-KEEPALIVE
interval 5
faildetect 3
passdetect interval 5
passdetect count 2
request method get url /keepalive.html
expect status 200 200
rserver redirect REDIRECT-TO-HTTPS
webhost-redirection https://%h%p 301
inservice
rserver host SERVER_01
ip address 10.10.10.20
inservice
rserver host SERVER_02
ip address 10.10.10.21
inservice
action-list type modify http REWRITE
ssl url rewrite location www\.cisco\.* sslport 443 clearport 80
serverfarm redirect REDIRECT-SERVERFARM
rserver REDIRECT-TO-HTTPS
inservice
serverfarm host REAL_SERVERS
probe HTTP-KEEPALIVE
rserver SERVER_01 80
inservice
rserver SERVER_02 80
inservice
ssl-proxy service SSL_SERVICE
key mykey.pem
cert mycert.pem
class-map match-all HTTP-VIP
2 match virtual-address 172.21.162.178 tcp eq http
class-map match-all HTTPS-VIP
2 match virtual-address 172.21.162.178 tcp eq https
class-map type management match-any MANAGEMENT
2 match protocol icmp any
3 match protocol telnet any
policy-map type management first-match REMOTE_MGT
class MANAGEMENT
permit
policy-map type loadbalance first-match REDIRECT-PM
class class-default
serverfarm REDIRECT-SERVERFARM
policy-map type loadbalance first-match LOAD-BALANCE-PM
class class-default
serverfarm REAL-SERVERS
action REWRITE
policy-map multi-match WEB-TRAFFIC
class HTTP-VIP
loadbalance vip inservice
loadbalance policy REDIRECT-PM
class HTTPS-VIP
loadbalance vip inservice
loadbalance policy LOAD-BALANCE-PM
loadbalance vip icmp-reply active
ssl-proxy server SSL_SERVICE
interface vlan 200
ip address 172.21.162.10 255.255.255.0
access-group input ANYONE
service-policy input REMOTE_MGT
service-policy input WEB-TRAFFIC
no shutdown
interface vlan 201
ip address 10.10.10.1 255.255.0.0
no shutdown
ip
route 0.0.0.0 0.0.0.0 172.21/162.1
You can find more information on SSL termination here, and more information on the redirects here.
Hope this helps,
Sean
02-25-2010 05:23 AM
Hi Matthew,
Yes, the ACE can do what you are looking for, and I totally agree than it would reduce a lot of added complexity from the servers. Below is an example of HTTP-to-HTTPS Redirect w/SSL Termination & HTTP-to-HTTPS Header Re-write. The header re-write is cool since the backend servers are listening on port 80 (or some clear-text port), if they send a redirect for some reason, the ACE will even re-write the Location header of the 301 or 302 redirect to use HTTPS.
With the example config below, clients that connect to the VIP on port 80 (HTTP) will be redirected to the same FQDN and path using port 443 (HTTPS). Clients will then open an HTTPS session to the ACE where the SSL session will be terminated and load balanced to the real servers in clear-text on port 80 (HTTP). The HTTP-to-HTTPS redirect in this example is a 301 redirect (permanent). The 301 can be either removed or changed to 302 to revert to the default of a temporary redirect.
If your ACE is running A2 software or higher for the module, or A3 software or higher for the 4700 appliance, then you can also include the necessary configuration for HTTP-to-HTTPS redirect location header re-write.
HTTP-to-HTTPS Redirect Configuration
SSL Termination Configuration
HTTP-to-HTTPS Redirect Location Header Re-Write
Example Config
access-list ANYONE line 10 extended permit ip any any
probe http HTTP-KEEPALIVE
interval 5
faildetect 3
passdetect interval 5
passdetect count 2
request method get url /keepalive.html
expect status 200 200
rserver redirect REDIRECT-TO-HTTPS
webhost-redirection https://%h%p 301
inservice
rserver host SERVER_01
ip address 10.10.10.20
inservice
rserver host SERVER_02
ip address 10.10.10.21
inservice
action-list type modify http REWRITE
ssl url rewrite location www\.cisco\.* sslport 443 clearport 80
serverfarm redirect REDIRECT-SERVERFARM
rserver REDIRECT-TO-HTTPS
inservice
serverfarm host REAL_SERVERS
probe HTTP-KEEPALIVE
rserver SERVER_01 80
inservice
rserver SERVER_02 80
inservice
ssl-proxy service SSL_SERVICE
key mykey.pem
cert mycert.pem
class-map match-all HTTP-VIP
2 match virtual-address 172.21.162.178 tcp eq http
class-map match-all HTTPS-VIP
2 match virtual-address 172.21.162.178 tcp eq https
class-map type management match-any MANAGEMENT
2 match protocol icmp any
3 match protocol telnet any
policy-map type management first-match REMOTE_MGT
class MANAGEMENT
permit
policy-map type loadbalance first-match REDIRECT-PM
class class-default
serverfarm REDIRECT-SERVERFARM
policy-map type loadbalance first-match LOAD-BALANCE-PM
class class-default
serverfarm REAL-SERVERS
action REWRITE
policy-map multi-match WEB-TRAFFIC
class HTTP-VIP
loadbalance vip inservice
loadbalance policy REDIRECT-PM
class HTTPS-VIP
loadbalance vip inservice
loadbalance policy LOAD-BALANCE-PM
loadbalance vip icmp-reply active
ssl-proxy server SSL_SERVICE
interface vlan 200
ip address 172.21.162.10 255.255.255.0
access-group input ANYONE
service-policy input REMOTE_MGT
service-policy input WEB-TRAFFIC
no shutdown
interface vlan 201
ip address 10.10.10.1 255.255.0.0
no shutdown
ip
route 0.0.0.0 0.0.0.0 172.21/162.1
You can find more information on SSL termination here, and more information on the redirects here.
Hope this helps,
Sean
02-25-2010 09:02 AM
Hi Sean,
Thanks for such a detailed answer. Exactly what I was looking for.
Many thanks
Matthew
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide