HTTP redirect issue

shday — Tue, 22 Mar 2011 14:03:45 GMT

I have a vip for url http://www.camko.com/honor/services.svc, but I need to redirect all other requests to http://www.camko.com to https. So anything coming to http://www.camko.com would be redirected to https://www.camko.com, but to allow http://www.camko.com/honor/services.svc to go to my pair of web servers. I am also terminating ssl for this policy. I am unable to get the http://www.camko.com/honor/services.svc to work correctly. I see the initial login to https://www.camko.com and I see a services request to /honor/services.svc and it looks like its clear text, but in my trace I see the origin: as https://www.camko.com. I'm wondering if the services call can be redirected since they are already logged in with https://www.camko.com?

This is what I tried.

class-map match-any camko-clmp
2 match virtual-address 10.10.20.42 tcp eq https
class-map match-any camko-port80
2 match virtual-address 10.10.20.42 tcp eq www
class-map type http loadbalance match-any camko/honor
2 match http url .*catsupport -- anything with catsupport do not redirect
3 match http url .*honor -- anything with honor do not redirect

policy-map type loadbalance first-match camko
class class-default
    serverfarm camko
policy-map type loadbalance first-match camko-redirect
class class-default
    serverfarm camko-redirect
policy-map type loadbalance first-match camko-443
class class-default
    serverfarm camko

policy-map multi-match camko-mmplm
class camko-clmp
    loadbalance vip inservice
    loadbalance policy camko-443 -- this is where the initail login to the app takes place
    loadbalance vip icmp-reply active
    ssl-proxy server lss-ssl-proxy
policy-map multi-match camko-port80
class camko/honor
    loadbalance vip inservice
    loadbalance policy camko -- should allow port 80 to anything with /catsupport or /honor
    loadbalance vip icmp-reply active
    appl-parameter http advanced-options ignore-case
class camko-port80
    loadbalance vip inservice
    loadbalance policy camko-redirect -- redirect any other port 80 requests
    loadbalance vip icmp-reply active
    appl-parameter http advanced-options ignore-case

Re: HTTP redirect issue

stmccabe — Tue, 22 Mar 2011 16:30:42 GMT

The traditional redirect will not give you the granularity you are looking for, however you can leverage http header rewrites in conjuction with the redirect to do "conditional" redirects.

I might be wrong, but I don't think a redirect is what you are looking for.. It sounds like the client is initially logging in via the ssl url then getting a redirect (from server) to http, which causes the client to "step outside" of the ssl channel and build a new session. More than likely the server is setting the location header to 'http://www.camko.com/honor/services.svc'.. What must do is keep the client connection over the ssl session buy doing an ssl rewrite. This way the web server's response is rewritten from http://www.camko.com/honor/services.svc to https://www.camko.com/honor/services.svc.

Example:

1) First add an action list:

action-list type modify http REWRITE-Location
ssl url rewrite location "www\.camko\.com"

2) policy-map type loadbalance first-match camko-443
!

class class-default

action REWRITE-Location <---- add under your HTTPS policy
serverfarm camko

3) You can then remove:

policy-map type loadbalance first-match camko
class class-default
serverfarm camko
policy-map type loadbalance first-match camko-redirect
class class-default
serverfarm camko-redirect

topic Re: HTTP redirect issue in Application Networking

HTTP redirect issue

Re: HTTP redirect issue