cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1474
Views
0
Helpful
4
Replies
derek wilson
Beginner

ACE 30 redirect question

Hi

I have a ACE 30 with a VIP listening on 443 the passing traffic out to the rservers also on 443 - no ssl offload.

Is it possible to have a redirect for clients coming in on http to redirect to https?

Any config examples would be handy.

thanks

4 REPLIES 4
Jorge Bejarano
Enthusiast

Derek, maybe you can check this link: https://supportforums.cisco.com/document/12439761/cisco-ace-http-https-redirection-ssl-termination

Hope this helps!

Jorge

Don´t forget to rate the answer.

Ahmed Sabanaa
Beginner

hi dear ,
have you got answer about the above question , since i have the same query ?

Hi,

 

you can try this configuration

 

rserver redirect rserver-redir_HTTPtoHTTPS
  webhost-redirection https://%h/%p 301
  inservice

serverfarm redirect sfarm-redirect_HTTPtoHTTPS
  rserver rserver-redir_HTTPtoHTTPS
    inservice

class-map match-any cmap-vip_HTTPtoHTTPS
  2 match virtual-address 192.168.10.10 tcp eq www


policy-map type loadbalance first-match pmap-lb_HTTPtoHTTPS
  class class-default
    serverfarm sfarm-redirect_HTTPtoHTTPS
policy-map multi-match pmap_whatever
  class cmap-vip_HTTPtoHTTPS
    loadbalance vip inservice
    loadbalance policy pmap-lb_HTTPtoHTTPS

sbhadrav@cisco.com
Contributor

I will give you for one rserver, one serverfarm, one class map. You please do that same for rest of them. Test one first and replicate to others.

rserver redirect QA-group_1_redirect_rserver

  webhost-redirection

https://10.37.5.93/  302

  inservice

This is the redirect server.

rserver host QA-1.1

  ip address 10.37.5.111

  inservice

rserver host QA-1.2

  ip address 10.37.5.88

  inservice

Normal servers to which the traffic would be loadbalanced.

serverfarm redirect SF_QA-group_1_REDIRECT

  rserver QA-group_1_redirect_rserver

    inservice

This is redirect serverfarm

serverfarm host SF_QA-group_1_HTTPS

  failaction reassign

  predictor leastconns

  rserver QA-1.1 443

    inservice

  rserver QA-1.2 443

    inservice

Normal serverfarm with two rservers in it to which we will loadbalance the traffic.

class-map match-all QA-group_1_HTTP

  3 match virtual-address 10.37.5.93 tcp eq www

The class-map is condition for redirection. If user comes on 10.37.5.93 on 80.

class-map match-all QA-group_1_HTTPS

  3 match virtual-address 10.37.5.93 tcp eq https

Condition for user coming on port 443

policy-map type loadbalance first-match QA-group_1_REDIRECT

  class class-default

    serverfarm SF_QA-group_1_REDIRECT

This is a policy or action which ACE will take after the condition matches which is to redirect.

policy-map type loadbalance first-match QA_GROUP1_HTPPS

  class class-default

    serverfarm SF_QA-group_1_HTTPS

This is for HTTPS

policy-map multi-match SERVICE_VIPS
  class QA-group_1_HTTP
    loadbalance vip inservice
    loadbalance policy QA-group_1_REDIRECT
    loadbalance vip icmp-reply
  class QA-group_1_HTTPS
    loadbalance vip inservice
    loadbalance policy QA_GROUP1_HTPPS
    loadbalance vip icmp-reply

Same action is applied to the policy. If it matches class QA-group_1_HTTP, redirect it, since redirect policy is applied and if it matches class QA-group_1_HTTPS, loadbalance the traffic since LB policy is applied.