02-20-2011 09:57 PM
We use a ACE in our network and use HTTP to Https redirection .
Everything works fine and user is redirected from http to Https , when he clicks on a link on the webpage
Once the user has clicked on the link and the browser opens up an https page .
Now if the user go to the address bar and changes to https to http , he gets the page in http instead of https .
Please help in this regards
02-21-2011 01:11 AM
Can you provide us with your configuration?
02-21-2011 02:40 AM
sh run
Generating configuration....
crypto chaingroup IBECHAINGRP
cert fly1.xxxxxxxx.com.cer
cert GTE_Cyber.pem
cert Comtrust_Root.pem
cert Comtrust_Server.pem
crypto csr-params CSR_IBEPARAMS_1
country xx
state xxxxx
locality xxx
organization-name xxxxxxxxAirlines
organization-unit xxxxxxxxAirlines
common-name fly1.xxxxxxxx.com
serial-number 1010
access-list ANY line 8 extended permit ip any any
access-list ANY line 16 extended permit icmp any any
access-list ICMP-ONLY line 8 extended permit icmp any any
access-list xx-fly1 line 8 extended permit ip host 94.203.119.222 any
probe http HTTP_Probe
interval 30
faildetect 2
passdetect count 1
expect status 200 399
expect status 401 401
parameter-map type connection MSS_1200
set tcp mss min 536 max 1172
rserver host xxxegww57
ip address 10.22.52.20
probe HTTP_Probe
inservice
rserver host xxxegww58
ip address 10.22.52.21
probe HTTP_Probe
inservice
rserver host xxxegww59
ip address 10.22.52.22
probe HTTP_Probe
inservice
rserver host xxxegww60
ip address 10.22.52.23
probe HTTP_Probe
inservice
ssl-proxy service SSL-PSERVICE-SERVER
key ibersakey.pem
cert fly1.xxxxxxxx.com.cer
chaingroup IBECHAINGRP
serverfarm host IBE-HTTP
rserver xxxegww57 80
inservice
rserver xxxegww58 80
inservice
rserver xxxegww59 80
inservice
rserver xxxegww60 80
inservice
sticky ip-netmask 255.255.255.0 address both IBE-STICKY-GRP1
timeout 720
replicate sticky
serverfarm IBE-HTTP
class-map match-any ICMP-TRAFFIC
2 match access-list ICMP-ONLY
class-map match-all VIP-IBE-HTTP
2 match virtual-address 10.22.52.10 tcp eq www
class-map match-all VIP-IBE-HTTPS
2 match virtual-address 10.22.52.10 tcp eq https
class-map type management match-any mgmt
10 match protocol icmp any
20 match protocol telnet any
policy-map type management first-match mgmt
class mgmt
permit
policy-map type loadbalance first-match IBE-HTTP
class class-default
sticky-serverfarm IBE-STICKY-GRP1
policy-map type loadbalance first-match IBE-HTTPS
class class-default
sticky-serverfarm IBE-STICKY-GRP1
policy-map multi-match ICMP-INSPECT
class ICMP-TRAFFIC
inspect icmp error
policy-map multi-match VIP-HTTP
class VIP-IBE-HTTP
loadbalance vip inservice
loadbalance policy IBE-HTTP
loadbalance vip icmp-reply
policy-map multi-match VIP-HTTPS
class VIP-IBE-HTTPS
loadbalance vip inservice
loadbalance policy IBE-HTTPS
loadbalance vip icmp-reply
ssl-proxy server SSL-PSERVICE-SERVER
connection advanced-options MSS_1200
interface vlan 950
description *** Server Side VLAN ***
bridge-group 1
mtu 9216
access-group input ANY
access-group output ANY
service-policy input mgmt
no shutdown
interface vlan 951
description *** Client Side VLAN ***
bridge-group 1
ip df clear
mtu 9216
mac-sticky enable
access-group input ANY
access-group output ANY
service-policy input mgmt
service-policy input VIP-HTTP
service-policy input VIP-HTTPS
service-policy input ICMP-INSPECT
no shutdown
interface bvi 1
ip address 10.22.52.4 255.255.255.128
peer ip address 10.22.52.5 255.255.255.128
no shutdown
ip route 0.0.0.0 0.0.0.0 10.22.52.1
02-21-2011 02:48 AM
One of the reasons that the user gets a page when he changes the https to http on the address bar of the broswer is because we use ssl offload and the SSL is between the client and the ACE and from the ACE to the server it is clear text .
Once the user changes from https to http it hits the ACE on 80 and is redirected to the real server as any other HTTP packet .
let me give an example for better understanding
i have a site by name www.sandjose.com
www.sandjose.com request goes through http and it has many directories listed under it serving different pages
www.sandjose/dir1/content1.aspx
www.sandjose/dir2/content2.aspx
....
....
....
....
www.sandjose/dirn/contentn.aspx.
Out of above directories i want certain URL's e.g "www.sandjose/dir2/content2.aspx" to always use HTTPS and even if the user comes via HTTP . I need to redirect him to HTTPS if the request come from http.
Hope my example makes it clear.
02-21-2011 05:36 AM
Hello,
Your rserver is configured for port 80 and you have a class-map configured with port 80 too.
This config will not perform HTTP to HTTPS redirection.
You might want to use action-list to rewrite url..
action-list type modify http urlrewrite
ssl url rewrite location www\.sandjose\.com
or even
ssl url rewrite location .* (which should match anything)
Then add you action list to
policy_map type loadbalance first_match IBE_HTTP
class class_default
sticky_serverfarm IBE_STICKY_GRP1
action urlrewrite
anyway, have a look at this guide:
Hope this helps.
Regards,
Thibault.
02-21-2011 07:30 PM
Thanks Thibault.
Can you help me in matching the string "www.sandjose.com/dir2/content2.aspx"
I have tried the SSL URL rewrite and it didn't work , I think i was trying to match the entire path and made some mistakes in matching it .
Can you please help inthis regards .
I think the regex i tried was www\.sandjose\.com\/dir2\/content2\.aspx
02-23-2011 12:15 AM
Hello,
The string " .* " (without the quotes) should match anything
If you need to redirect everything then use it rather than a specif regex for each url.
Something found in the ACE documentation:
Note: When matching data strings, note that the period (.) and question mark (?) characters do not have a literal meaning in regular expressions. Use brackets ([]) to match these symbols (for example, enter www[.]xyz[.]com instead of www.xyz.com). You can also use a backslash (\) to escape a dot (.) or a question mark (?).
Rgds.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide