topic Re: ACE SSL url rewrite issue in Application Networking

ACE SSL url rewrite issue

lukaszkhalil — Thu, 07 May 2009 17:41:36 GMT

Hello

I've tried to configure the SSL url rewrite function in the ACE module.

I found in the config guide that it should only works when the location field in the HTTP redirect header matches the entry in the action-list type modify http.

What I found strange is that the ssl URL rewrite works even if I put any value in the action-list.

Does anybody know how it should really works ?

Thanks in advance

Regards

Lucas

Re: ACE SSL url rewrite issue

Gilles Dufour — Fri, 08 May 2009 07:34:23 GMT

switch/Admin(config-actlist-modify)# ssl url rewrite location ?

Enter URL expression for rewrite (Max Size - 255)

This command will tell ACE to inspect the server response, intercept 30x redirect message, then match the location field based on the regular expression, and if there is a match, replace http:// with https://

Re: ACE SSL url rewrite issue

lukaszkhalil — Fri, 08 May 2009 09:14:04 GMT

That what I found in the config guide, but I also found out that the reg exp does not need to match the value in the location field. Whatever I put in the URL expression let me replace HTTP with HTTPS.

Re: ACE SSL url rewrite issue

yves.haemmerli — Wed, 20 May 2009 13:19:22 GMT

Hi,

What ACE module software version do you have ? I have version A2(1.2) and I am experiencing exactly the opposite situation : The URL rewrite does not work at all. I tried several regular expressions, but without any success.

The only difference I have compared to the user guide is that the location header sent by the server is an IP address and not a DNS name...

In the config heareafter, I try to match everything in the location field, so any redirect 30x will be rewritten to https. But it does not work. More specific expression like 10\.56\.5\23 does not work either.

action-list type modify http SSL_REWRITE_CWI

ssl url rewrite location ".*"

policy-map type loadbalance http first-match L7_POLICY_CWI_SSL

class class-default

sticky-serverfarm CWI_STICKY

action SSL_REWRITE_CWI

insert-http Source-IP header-value "%is"

Did you reveive an answer for your problem ?

Thanks,

Yves

Re: ACE SSL url rewrite issue

Gilles Dufour — Wed, 20 May 2009 14:27:23 GMT

Yves,

make sure your server location header name is exactly "Location" (uppercase L and all other letters lower case).

Anything else will not work.

Gilles.

Re: ACE SSL url rewrite issue

yves.haemmerli — Wed, 20 May 2009 15:08:58 GMT

Hi Gilles,

Yes, I have seen a post on this topic and I confirm that le Location header in the redirection message from the server is correctly spelled.

I attach a picture from HTTPWatch on which you can see the 301 redirection (generating an error), followed by a GET in clear text, followed by a 302 redirection, which is my general http to https redirection configuration.

Note that I use a wildcard ".*" as URL matching criteria.

Here is my complete config for this service:

probe tcp CWI_PROBE

interval 5

passdetect interval 5

passdetect count 2

action-list type modify http SSL_REWRITE_CWI

ssl url rewrite location ".*"

rserver redirect CWI_SSL_REDIRECT

description *** Redirects http to https ***

webhost-redirection https://%h/%p 302

inservice

rserver host HQCHVMWI01

description *** Citrix Web Interface Server ***

ip address 10.56.5.216

inservice

rserver host HQCHVMWI02

description *** Citrix Web Interface Server ***

ip address 10.56.5.217

inservice

ssl-proxy service SSL_CWI

key myapps.nespresso.com_key.pem

cert myapps.nespresso.com_cert.pem

serverfarm host CWI_FARM_PROD

description *** Citrix Web Access Server farm ***

probe CWI_PROBE

rserver HQCHVMWI01 80

inservice

rserver HQCHVMWI02 80

inservice

serverfarm redirect CWI_REDIRECT_FARM

rserver CWI_SSL_REDIRECT

inservice

sticky http-cookie STICKED-TO CWI_STICKY

cookie insert browser-expire

timeout 240

replicate sticky

serverfarm CWI_FARM_PROD

class-map match-all L4_CLASS_CWI_HTTP

description *** Citrix Web INterface on port 80 ***

2 match virtual-address 10.56.5.23 tcp eq www

class-map match-all L4_CLASS_CWI_HTTPS

description *** Citrix Web Interface on port 443 ***

2 match virtual-address 10.56.5.23 tcp eq https

class-map type http loadbalance match-any L7_CLASS_CWI

2 match http url /.*

policy-map type loadbalance http first-match L7_POLICY_CWI

class L7_CLASS_CWI

serverfarm CWI_REDIRECT_FARM

policy-map type loadbalance http first-match L7_POLICY_CWI_SSL

class class-default

sticky-serverfarm CWI_STICKY

insert-http Source-IP header-value "%is"

policy-map multi-match VIP_PROD

class L4_CLASS_CWI_HTTPS

loadbalance vip inservice

loadbalance policy L7_POLICY_CWI_SSL

loadbalance vip icmp-reply active

nat dynamic 3 vlan 300

ssl-proxy server SSL_CWI

class L4_CLASS_CWI_HTTP

loadbalance vip inservice

loadbalance policy L7_POLICY_CWI

loadbalance vip icmp-reply active

interface vlan 300

description *** ACE Production Interface ***

nat-pool 3 10.56.5.24 10.56.5.24 netmask 255.255.255.255 pat

I can see that the rewrite counter dos not increment.

I have version A2(1.2) and did not found any referenced bug on this version, except the spelling .

Thank you for any help

Yves

Re: ACE SSL url rewrite issue

yves.haemmerli — Wed, 20 May 2009 15:13:26 GMT

Gilles,

A cut and past mistake in my previous append : The action-list IS applied on the L7 Policy-map ....

Here again my config :

probe tcp CWI_PROBE

interval 5

passdetect interval 5

passdetect count 2

action-list type modify http SSL_REWRITE_CWI

ssl url rewrite location ".*"

rserver redirect CWI_SSL_REDIRECT

description *** Redirects http to https ***

webhost-redirection https://%h/%p 302

inservice

rserver host HQCHVMWI01

description *** Citrix Web Interface Server ***

ip address 10.56.5.216

inservice

rserver host HQCHVMWI02

description *** Citrix Web Interface Server ***

ip address 10.56.5.217

inservice

ssl-proxy service SSL_CWI

key myapps.nespresso.com_key.pem

cert myapps.nespresso.com_cert.pem

serverfarm host CWI_FARM_PROD

description *** Citrix Web Access Server farm ***

probe CWI_PROBE

rserver HQCHVMWI01 80

inservice

rserver HQCHVMWI02 80

inservice

serverfarm redirect CWI_REDIRECT_FARM

rserver CWI_SSL_REDIRECT

inservice

sticky http-cookie STICKED-TO CWI_STICKY

cookie insert browser-expire

timeout 240

replicate sticky

serverfarm CWI_FARM_PROD

class-map match-all L4_CLASS_CWI_HTTP

description *** Citrix Web INterface on port 80 ***

2 match virtual-address 10.56.5.23 tcp eq www

class-map match-all L4_CLASS_CWI_HTTPS

description *** Citrix Web Interface on port 443 ***

2 match virtual-address 10.56.5.23 tcp eq https

class-map type http loadbalance match-any L7_CLASS_CWI

2 match http url /.*

policy-map type loadbalance http first-match L7_POLICY_CWI

class L7_CLASS_CWI

serverfarm CWI_REDIRECT_FARM

policy-map type loadbalance http first-match L7_POLICY_CWI_SSL

class class-default

sticky-serverfarm CWI_STICKY

action SSL_REWRITE_CWI

insert-http Source-IP header-value "%is"

policy-map multi-match VIP_PROD

class L4_CLASS_CWI_HTTPS

loadbalance vip inservice

loadbalance policy L7_POLICY_CWI_SSL

loadbalance vip icmp-reply active

nat dynamic 3 vlan 300

ssl-proxy server SSL_CWI

class L4_CLASS_CWI_HTTP

loadbalance vip inservice

loadbalance policy L7_POLICY_CWI

loadbalance vip icmp-reply active

interface vlan 300

description *** ACE Production Interface ***

nat-pool 3 10.56.5.24 10.56.5.24 netmask 255.255.255.255 pat

Re: ACE SSL url rewrite issue

yves.haemmerli — Thu, 21 May 2009 07:26:26 GMT

Hi Gilles,

May I ask you if you found something wrong in my SSL Rewrite configuration above ? I tested with other match criterias, but it definitely does not work. I also did not found any related bug in the bug toolkit (except the one withe the header spelling).

Would it be maybe possible that SSL rewrite is incompatible with source-ip insert ?

policy-map type loadbalance http first-match L7_POLICY_CWI_SSL

class class-default

sticky-serverfarm CWI_STICKY

action SSL_REWRITE_CWI

insert-http Source-IP header-value "%is"

Thank you for your help

Yves

Re: ACE SSL url rewrite issue

sachinga.hcl — Thu, 21 May 2009 12:05:59 GMT

Hi Yves,

Kindly send me the output of the following command:

host1/Admin# show parameter-map OPTIMIZE_PARAM_MAP

Kindly see the following url for my other postings:

http://boardreader.com/fp/Cisco_Systems_Networking_Profe_309110/Application_Networking_543840.html#hot_threads

Kindly refer following example:

Configure ACE with SSL Termination and URL Rewrite

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c3045.shtml

Kind regards

Sachinga.hcl

Re: ACE SSL url rewrite issue

sachinga.hcl — Thu, 21 May 2009 12:09:31 GMT

for action list kindly see

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/command/reference/actnlist.html

for list of all parameters kindly find below url:

http://www.ciscosystems.or.at/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/app_acceleration_and_optimization/guide/Intro.html

Configure ACE with Source NAT and Client IP Header Insert

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c3041.shtml

Re: ACE SSL url rewrite issue

Gilles Dufour — Thu, 21 May 2009 14:20:42 GMT

Yves,

everything looks good.

Can you try without the insert header ?

I'll give it a try myself if I find some time tomorrow.

Re: ACE SSL url rewrite issue

yves.haemmerli — Thu, 21 May 2009 14:38:36 GMT

Gilles,

Yes, I will ask the customer to make the test tomorrow and let you know on the result. If by chance you can do the test also its great.

Thank you for help

Yves

Re: ACE SSL url rewrite issue

yves.haemmerli — Wed, 27 May 2009 05:34:11 GMT

Gilles,

We tested the SSL rewrite by removing the source-ip insert, but the problem remain the same.

BUT, we discovered a strange thing : With Firefox, it works, the ACE correctly changes the Location tag from http to https and the rewrite counter increments. But with Microsoft IE, it does not...

This sounds strange because the URL rewrite occurs on the server response, not on the browser request..

I plan to trace the packet coming in and going out of the ACE to see what the problem could be.

Do you have any idea on this ?

Thank you

Yves

Re: ACE SSL url rewrite issue

Gilles Dufour — Wed, 27 May 2009 06:48:59 GMT

Yves,

very weird.

But IE is known to do strange stuff.

If could capture a trace and check with Wireshark and the server private key (to decode the https traffic) what is the response from ACE that would help.

Everything looks good in my lab.

Re: ACE SSL url rewrite issue

yves.haemmerli — Thu, 04 Jun 2009 12:10:26 GMT

Hi Gilles,

After several traces and analysis, I found the problem of the SSL rewrite not working with IE

With Firefox, each GET request establishes a new SSL session and therefore the ACE starts a new load balancing evaluation. In this case, SSL rewrite works well. With IE however, several GET requests are sent in the same TCP session (actually a best method). But in this case, we HAVE TO enable persistence-rebalance to force the ACE to re-evaluate each request for load balancing, else, the SSL rewrite does not work. As I use sticky with a cookie, this does not caus a problem.

So, I added added the following configuration and everythings work fine now :

parameter-map type http CWI_HTTP_PARAM

persistence-rebalance

policy-map multi-match VIP_PROD

class L4_CLASS_CWI_HTTPS

loadbalance vip inservice

loadbalance policy L7_POLICY_CWI_SSL

loadbalance vip icmp-reply active

nat dynamic 3 vlan 300

appl-parameter http advanced-options CWI_HTTP_PARAM

ssl-proxy server SSL_CWI

Yves