03-18-2013 08:40 AM
Hi Everyone,
I have configured SSL offloading and redirection on a 4710 appliance. Everything works fine. The issue I am facing is that some parameters in url are getting lost.
I have https://%h/%p configured as a redirect server which works fine as far as hostname and path is concerned. i.e. full hostname and path are preserved, but that there are some parameters after the full path in encrypted format which are getting lost. I think 307 redirect can resolve this issue but ACE does not support that.
Has anyone faced something similar? Any suggestions would be helpful.
Thanks.
Rehan
03-18-2013 09:28 AM
Rehan,
Could you paste the configuration which you are using for this?
Are you using a HTTP parameter for this?
Please upload the #show stats http.
Jorge
03-18-2013 04:57 PM
Hi Rehan,
Those parameters are part of the URL or are part of the HTTP headers?
---------------------
Cesar R
ANS Team
03-19-2013 01:00 AM
Hi,
See the snip of the config
parameter-map type ssl SSL-MAP
session-cache timeout 600
parameter-map type http HTTP-MAP
persistence-rebalance
rserver host E-SERVER01
ip address X.X.X.Y
inservice
rserver host E-SERVER02
ip address X.X.X.Z
inservice
rserver redirect E-SERVICE
webhost-redirection https://%h/%p 302
inservice
serverfarm host E-SERVERS
rserver E-SERVER01 80
inservice
rserver E-SERVER02 80
inservice
serverfarm redirect SF-RE-DIRECT
rserver E-SERVICE
inservice
class-map match-any E-WEB-HTTP
2 match virtual-address X.X.X.15 tcp eq www
class-map match-any E-WEB-HTTPS
3 match virtual-address X.X.X.15 tcp eq https
sticky ip-netmask 255.255.255.255 address source WEB-STICKY
replicate sticky
serverfarm E-SERVERS
policy-map type loadbalance first-match PM-E-WEB
class class-default
sticky-serverfarm WEB-STICKY
insert-http ClientProtocol header-value "https"
policy-map type loadbalance first-match PM-REDIRECT
class class-default
serverfarm SF-RE-DIRECT
policy-map multi-match SLB-POLICY
class E-WEB-HTTPS
loadbalance vip inservice
loadbalance policy PM-E-WEB
loadbalance vip icmp-reply
appl-parameter http advanced-options HTTP-MAP
ssl-proxy server SSL-MAP
class E-WEB-HTTP
loadbalance vip inservice
loadbalance policy PM-REDIRECT
loadbalance vip icmp-reply
appl-parameter http advanced-options HTTP-MAP
@Jorge: The device has many policies and has been running for a few years, therefore the show stats http command will not be of much help as we may see other traffic statistics/errors. If your looking for max parse len errors then thats not happening. The url length is not that long. Let me know if anything specific you want me to check.
@Cesar: I will check but as per the information I have there are some parameters after the complete path "/" which are hash value of an authentication request. Basically what is happening when the user goes to the page, user needs to enter credentials. Once the user clicks submit the page just reloads, instead of going to the requested url.
Thanks for your support,
Rehan
03-20-2013 07:22 AM
Hi Rehan,
You must be use action-list type modify command to achive the desired Result.
action-list type modify http Rewrite_Redirects
ssl url rewrite location ".*"
policy-map type loadbalance first-match bsm-ssl-back
class class-default
serverfarm
action Rewrite_Redirects
this should work if vip are accessible via https.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide