Solved: ACE 4710 - Redirect HTTP to HTTPS

Siemens_SWP · ‎06-22-2012

Hi Cisco Support community

I am trying to make a redirect from http to https. the goal is whenever a user writes in http://10.80.199.71 it should be redirected to https://10.80.199.71

I am just haveing some trouble making it work. :S

I have attached the settings i have made. could be nice if someone could tell me what i am doing wrong here.

Thanks.

ajayku2 · ‎06-22-2012

Hi,

Just modified your config a little. Let me know if it works for you.

---------------------------------------------------------------------------------------------

access-list Servers line 1 extended permit tcp any any eq https

access-list Servers line 5 extended permit tcp any any eq www

access-list Servers line 6 extended permit ip any any

access-list Servers line 7 extended permit icmp any any

rserver host Sharepoint_2010_SRV1

description Sharepoint 2010

ip address 10.80.6.96

conn-limit max 4000000 min 4000000

probe ACE_TCP

inservice

rserver host Sharepoint_2010_SRV2

description Sharepoint 2010

ip address 10.80.6.114

conn-limit max 4000000 min 4000000

probe ACE_TCP

inservice

rserver redirect Sharepoint_HTTPS_Redirect

webhost-redirection https://%h%p 302

inservice

serverfarm redirect SharePoint_HTTPS_SFarm

rserver Sharepoint_HTTPS_Redirect

inservice

serverfarm host Sharepoint_2010_Serverfarm

description Sharepoint_2010

rserver Sharepoint_2010_SAE_SRV1

inservice

rserver Sharepoint_2010_SAE_SRV2

inservice

class-map match-all Sharepoint_2010_VIP_HTTP

description Match HTTP

2 match virtual-address 10.80.199.71 tcp eq www

class-map match-all Sharepoint_2010_VIP_HTTPS

description Match HTTPS

2 match virtual-address 10.80.199.71 tcp eq https

policy-map type loadbalance first-match Sharepoint_HTTP

class class-default

serverfarm Sharepoint_HTTPS_Redirect

policy-map type loadbalance first-match Sharepoint_HTTPS

class class-default

serverfarm Sharepoint_2010_Serverfarm

policy-map multi-match int815

class Sharepoint_2010_VIP_HTTP

loadbalance vip inservice

loadbalance policy Sharepoint_HTTP

loadbalance vip icmp-reply active

nat dynamic 1 vlan 801

class Sharepoint_2010_VIP_HTTPS

loadbalance vip inservice

loadbalance policy Sharepoint_HTTPS

loadbalance vip icmp-reply active

nat dynamic 1 vlan 801

View solution in original post

Borys Berlog · ‎06-22-2012

Hello

This condition won't match anything :

2 match http header Host header-value "http://10.80.199.71"

because in Host header you will never see http:// , it's host, so it can be 10.80.199.71.

But in your case I'd do it much simpler (you've already seprated requests to port 80 and 443 on L4 class maps) :

policy-map type loadbalance first-match Sharepoint_HTTP

class class-default

serverfarm SharePoint_HTTPS_SFarm

So, I don't see why you may need to check HTTP headers at all.

and everything else looks more or less ok (don't know why you may need NAT on redirection serverfarm)

policy-map multi-match int815

class Sharepoint_2010_VIP_HTTP

loadbalance vip inservice

loadbalance policy Sharepoint_HTTP

loadbalance vip icmp-reply active

nat dynamic 1 vlan 801 <------ here

Basically requests comes to http://10.80.199.71, it gets to L4 class map

class-map match-all Sharepoint_2010_VIP_HTTP

description Match HTTP

2 match virtual-address 10.80.199.71 tcp eq www

because only this class map matches port 80 and then it needs to be redirected , so it goes to redirection serverfarm.

Your mistake was wrong host header -value (you may try to capture some http traffic on your PC and you will see that HTTP Host header is just host valie like 1.1.1.1 or google.com , without "http://") - so it never matchs. As I wrote above, I don't see a reason to do such matching at all.

Hope it helps.

If this answer resolved your problem please marked it as a correct one, it will help to keep our forum more organized.

Thank you.

ajayku2 · ‎06-22-2012

Hi,

Just modified your config a little. Let me know if it works for you.

---------------------------------------------------------------------------------------------

access-list Servers line 1 extended permit tcp any any eq https

access-list Servers line 5 extended permit tcp any any eq www

access-list Servers line 6 extended permit ip any any

access-list Servers line 7 extended permit icmp any any

rserver host Sharepoint_2010_SRV1

description Sharepoint 2010

ip address 10.80.6.96

conn-limit max 4000000 min 4000000

probe ACE_TCP

inservice

rserver host Sharepoint_2010_SRV2

description Sharepoint 2010

ip address 10.80.6.114

conn-limit max 4000000 min 4000000

probe ACE_TCP

inservice

rserver redirect Sharepoint_HTTPS_Redirect

webhost-redirection https://%h%p 302

inservice

serverfarm redirect SharePoint_HTTPS_SFarm

rserver Sharepoint_HTTPS_Redirect

inservice

serverfarm host Sharepoint_2010_Serverfarm

description Sharepoint_2010

rserver Sharepoint_2010_SAE_SRV1

inservice

rserver Sharepoint_2010_SAE_SRV2

inservice

class-map match-all Sharepoint_2010_VIP_HTTP

description Match HTTP

2 match virtual-address 10.80.199.71 tcp eq www

class-map match-all Sharepoint_2010_VIP_HTTPS

description Match HTTPS

2 match virtual-address 10.80.199.71 tcp eq https

policy-map type loadbalance first-match Sharepoint_HTTP

class class-default

serverfarm Sharepoint_HTTPS_Redirect

policy-map type loadbalance first-match Sharepoint_HTTPS

class class-default

serverfarm Sharepoint_2010_Serverfarm

policy-map multi-match int815

class Sharepoint_2010_VIP_HTTP

loadbalance vip inservice

loadbalance policy Sharepoint_HTTP

loadbalance vip icmp-reply active

nat dynamic 1 vlan 801

class Sharepoint_2010_VIP_HTTPS

loadbalance vip inservice

loadbalance policy Sharepoint_HTTPS

loadbalance vip icmp-reply active

nat dynamic 1 vlan 801

Jorge Bejarano · ‎06-23-2012

Hello,

You should change your SharePoint_HTTPS to look like this:

class-map type http loadbalance match-any SharePoint_HTTPS

2 match http header Host header-value 10.80.199.71

This is little explanation about the process of the redirection for port 80.

-------------------------------------------------------------------------------------------

1) ACE will receive the traffic which matches the virtual address: 10.80.199.71 on port 80,

we are good here!!!.

2) ACE has a policy multimatch which will tell the ACE what the next step to follow will be, in this case you need to check the policy Sharepoint_HTTP,we go good.

3) ACE finally reaches policy Sharepoint_HTTP to see what he needs to do, so the gets there and says: "OK, I am here on the policy Sharepoint_HTTP but I have to match SharePoint_HTTPS first to proceed further,(Since the traffic is on clear text at this point, ACE can match it but please notice this is extra step instead you "SHOULD" use a class class-default),ACE matches fine and finally sees he has a serverfarm type redirect which finally gets him to the rserver type redirect which fires the redirection. Good, we are done with the redirection from http to https!!!

Https process:

------------------------------

ACE now needs to do the same process to match the traffic which is now on port 443,meaning:

ACE matches:

1) policy-map multi-match int815 ---->class Sharepoint_2010_VIP_HTTPS

2) class Sharepoint_2010_VIP_HTTPS---->class SharePoint_HTTPS but here it is the problem!!!, traffic comes on port 443 which is totally encrypted then the ACE cannot see what the request got inside so he cannot do anything at that point then you have 2 possible solutions:

-If it is mandatory for you to analyze class SharePoint_HTTPS then you should decrypt it, using SSL termination for example, or if you need to analyze it and then encrypt it back to continue then you may need END_TO_END SSL.

-If it is NOT mandatory (hopefully) for you to analyze class SharePoint_HTTPS to continue you can just remove it and have as a class class-default instead,as in the sample of AJAY KUMAR above.

3) Let´s not use neither SSL-Termination nor END-TO-END SSL then ACE matches a class class-default which has inside this serverfarm: Sharepoint_2010_Serverfarm which finally has 2 servers: Sharepoint_2010_SRV1/Sharepoint_2010_SRV2

4)ACE takes a loadbalance decision and choose one of those servers and that´s it

Hope this helps!!!

Jorge

Siemens_SWP · ‎06-27-2012

It works now. Tried the sugggestion from Ajay and it works so thanks alot for the advice to all of you.