topic Re: ACE-What is the difference between these two redirects? in Application Networking

ACE-What is the difference between these two redirects?

nygenxny123 — Fri, 26 Feb 2010 01:02:04 GMT

My question-

Why the need for both the class-map on WWW and HTTPS on the same vip below?

Wouldnt the ACE see the incoming port 80 request and redirect it to 443 back to the

client browser with the action-list modify statement in the config and the action url rewrite in the policy statement

of the WEB-POLICY?

Yet is see a redirect statement going to https://%h/%p under the redir serverfarm

does this make sense?

action-list type modify http urlrewrite
ssl url rewrite location "*"

class-map match-all WEB-VIP
2 match virtual-address 172.20.100.104 tcp eq https

class-map match-all WEB-redir
2 match virtual-address 172.20.100.104 tcp eq www

policy-map type loadbalance first-match WEB-POLICY
class class-default
sticky-serverfarm WEB_cookie
action urlrewrite

policy-map type loadbalance first-match WEB-redir
class class-default
serverfarm WEB-redir

class WEB-VIP
loadbalance vip inservice
loadbalance policy WEB-POLICY
loadbalance vip icmp-reply
ssl-proxy server WEB-SSL-PROXY
class WEB-redir
loadbalance vip inservice
loadbalance policy WEB-redir

rserver redirect WEB-redir
webhost-redirection https://%h/%p
inservice

serverfarm redirect WEB-redir
rserver WEB-redir
inservice

Re: ACE-What is the difference between these two redirects?

jason.espino — Fri, 26 Feb 2010 05:09:39 GMT

Hello,

With the configuration you have posted there is a need for both class-maps, action-list, and redirection.

The way this configuration will work is any client attempting to establish an HTTP connection the ACE will preserve the URL, but redirect them to the HTTPS equivalent. ex: http://www.domain.com/admin -----> https://www.domain.com/admin

This configuration would be used for the inbound HTTP connections:

rserver redirect WEB-redir
webhost-redirection https://%h/%p
inservice

serverfarm redirect WEB-redir

rserver WEB-redir

inservice

class-map match-all WEB-VIP
2 match virtual-address 172.20.100.104 tcp eq https

policy-map type loadbalance first-match WEB-redir
class class-default
serverfarm WEB-redir

class WEB-redir
loadbalance vip inservice
loadbalance policy WEB-redir

Once the client's connection is redirected to HTTPS, their connection will use this part of the configuration:

action-list type modify http urlrewrite
ssl url rewrite location "*"

class-map match-all WEB-VIP
2 match virtual-address 172.20.100.104 tcp eq https

policy-map type loadbalance first-match WEB-POLICY
class class-default
sticky-serverfarm WEB_cookie
action urlrewrite

class WEB-VIP
loadbalance vip inservice
loadbalance policy WEB-POLICY
loadbalance vip icmp-reply
ssl-proxy server WEB-SSL-PROXY

The action-list will come into play the moment the web server delivering content for the client attempts to send the client's connection BACK to an HTTP URL. The ACE will re-write the location URL from HTTP to HTTPS to allow the client's connection to stay on an HTTPS page.

Regards,

Jason

Re: ACE-What is the difference between these two redirects?

nygenxny123 — Sat, 27 Feb 2010 06:40:28 GMT

Thx for the explanation-

correct me if im wrong

so if the outside user is coming in on http-the rserver redirect will come into play when the ACE makes it go https:---per my config-

now the url redirect is into play coming in from the server......if the server for some reason sends url info http-the ACE will rewrite it as https-

Now ..is it best practice to have both these configs to make sure that all data is always https?

why would you have one without the other?

I can only imagine you wouldnt have the rserver redirect https%h%p if you were not allowing anything coming in on port 80-

since all inbound traffic would be 443?

however even if you only had 443 open........u would still use the url rewrite because the backend serve may send something back clear text?

am i right in my conclusion?

Re: ACE-What is the difference between these two redirects?

jason.espino — Mon, 01 Mar 2010 05:14:36 GMT

Hello,

Your understanding of how the configuration works is correct.

To answer your questions:

"Now ..is it best practice to have both these configs to make sure that all data is always https?"

I would say so, as the redirect will ALWAYS send the client to an HTTPS site, and the url rewrite will ensure the connection stays on HTTPS.

"why would you have one without the other?"

This question I can not answer. I'm not sure if the person who owns the site/domain wanted the clients connection to be HTTPS only for security reasons, application reasons, or just personal preference.

"I can only imagine you wouldnt have the rserver redirect https%h%p if you were not allowing anything coming in on port 80-

since all inbound traffic would be 443?"

Even if there was no HTTP content being served the rserver redirects pupose would ensure the client's connection is redirected to an HTTPS URL that can be processed by the web servers, rather then have the client's connection simply time out on the browser if there was no redirect or port 80 configuration in place.

"however even if you only had 443 open........u would still use the url rewrite because the backend serve may send something back clear text?"

That is a possiblity. The url rewrite would simply ensure the clients connection remains on HTTPS.

Regards,

Jason

Re: ACE-What is the difference between these two redirects?

nygenxny123 — Tue, 02 Mar 2010 15:50:55 GMT

thanks for the explanation