cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2875
Views
12
Helpful
10
Replies
Highlighted
Participant

ACE module SSL url rewrite and path rewrite

Hi all,

I'm hoping some of you helpful people on this forum can guide me or suggest a solution to a problem I'm faced with.

I am currently load balancing exchange 2010 traffic via an ACE module.  Software version is A2(3.3).  I have most parts of it working fine however I am having an issue when it comes to SSL termination for Outlook Web Access (OWA).

The problem comes down to a HTTP header (field is location).  I have configured an action list to re-write the SSL pure URL as per page 96 of the "Cisco Application Control Engine Module SSL Configuration Guide".  example:

ssl url rewrite location bnecas\.mycompany\.com sslport 443

That part works, the http header location field that comes back from the GET request is changed to https://cas.mycompany.com which is great.  However, in addition to that url, there is also a path or something following that part.  The actual string that is returned is:

https://cas.mycompany.com/owa/auth/logon.aspx?url=http://cas.mycompany.com/owa/&reason=0

The first bit of it, (https://cas.mycompany.com) is changed by the ssl url rewrite command, however the last part (http://cas.mycompany.com/owa/&reason=0) isn't changed.

This is where I've been trying to get the http Header Rewrite command to do something.  I don't know if it can work in conjunction with the ssl url rewrite function however with the ssl rewrite function it seems it can't change bits of the string that aren't the pure URL at the front.

The end result is that while I have an SSL connection to the OWA login page, when I do login to OWA it reverts back to HTTP.  I'm fairly sure it is because of the last part of the location string above.  Is there a way to change that location string to do the following:

1.  change the first part of the string to be https://cas.mycompany.com (like the ssl url rewrite function)

2.  change the last part of the location string to put https in there instead of http

Ideally I would love to have this string

http://cas.mycompany.com/owa/auth/logon.aspx?url=http://cas.mycompany.com/owa/&reason=0

replaced with this one

https://cas.mycompany.com/owa/auth/logon.aspx?url=https://cas.mycompany.com/owa/&reason=0

I had originally tried the following in the action list:

header rewrite response location header-value "(owa/auth/logon\.aspx\?url=)http(://bnecas\.thiess\.aus/owa/&reason=0)" replace "%1https%2"

ssl url rewrite location bnecas\.mycompany\.com sslport 443

but it didn't work.  I'm probably screwing up the regex somewhere however there doesn't seem to be very clear examples anywhere I can find.

Any help will be greatly appreciated and of course I will be sure to rate every post that responds to my plea for help.

Brad

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Hi Brad,

try this:

action-list type modify http X

  header rewrite response Location header-value "http://(.*url=)http://(.*)" replace "https://%1https://%2"

we wont be using ssl url rewrite in this case

Also we will be needing persistence rebalance applied through application parameter map and apply that under the VIP class

View solution in original post

10 REPLIES 10
Highlighted
Beginner

Brad,

I have been trying to resolve a similar issue all week.

I found the following action solved it for me.

action-list type modify http HTTP-To-HTTPS
  header rewrite response location header-value ".*http*" replace "%1https%2"
  ssl url rewrite location ".*"

The first rewrite looks for any HTTP within the location string, and to be sure it's all been caught I followed up with the SSL rewrite.

John

Highlighted

HI John,

Thanks for the tip.  I've put that in however it still seems to be returning this in the location field:

https://cas.mycompany.com/owa/auth/logon.aspx?url=http://cas.mycompany/owa/&reason=0

The action list I have input is:

action-list type modify http URL_REWRITE
  header rewrite response location header-value ".*http.*" replace "%1https%2"
  ssl url rewrite location "cas\.mycompany\.com"

Any other tips that I might be able to try?

Brad

Highlighted

what about something like this :

action-list type modify http URL_REWRITE
  header rewrite response location header-value ".*http.*http.*" replace "%1https%2https%3"
  ssl url rewrite location "cas\.mycompany\.com"

Highlighted

Hi Surya,

I've put that in the config now and I'm now seeing this in the location field:

cas.mycompany.comhttpsowa/auth/logon.aspx?url=http://cas.mycompany.com/owa/&reason=0https%3

Any other ideas to try?

Thanks for the help so far.

Brad

Highlighted

HI John,

Thanks for the tip.  I've put that in however it still seems to be returning this in the location field:

https://cas.mycompany.com/owa/auth/logon.aspx?url=http://cas.mycompany.com/owa/&reason=0

The action list I have input is:

action-list type modify http URL_REWRITE
  header rewrite response location header-value ".*http.*" replace "%1https%2"
  ssl url rewrite location "*"

 

When I input it, I received the following in the location field:

http://cas.mycompany.com/owa/auth/logon.aspx?url=http://cas.mycompany.com/owa/&reason=0

I'm guessing the SSL URL rewrite is not catching the main domain name, however that doesn't explain why the http field in the string isn't getting caught.

Any other tips that I might be able to try?

Brad

Highlighted

Hi Brad,

I notice that you are adding a period after the 'http' in the header rewrite search string and missing a period in the SSL rewrite search string. Did you try the exact syntax I put in my first reply?

John

Highlighted

Hi John,

sorry about that, it was a typo..

action-list type modify http URL_REWRITE
  header rewrite response location header-value ".*http*" replace "%1https%2"
  ssl url rewrite location ".*"

I copied and pasted the header rewrite and ssl rewrite bits directly into the ACE from your post however i typed it into the forum..  Apologies.

I'm not having much luck with this am I.

I'm still having the issue, I login fine to OWA at the https page, however as soon as I login it reverts back to http.

Any last words of help before I log a case?

Thanks again for you time.

Brad

Highlighted

Hi Brad,

Since you know the posting variable name 'url', you should be able to search for this in the rewrite statement.  I'm not sure if this forces the action-list to exit leaving your ssl rewrite untouched, which is why I suggest dropping the ssl rewrite and try catching it all in one regex search string.

header rewrite response location header-value (.*http://cas\.mycompany\.com*)(.*url=http*) replace %1https://cas\.mycompany\.com%2url=https

I'm sure there are some AND OR expressions available to us somewhere!

John

Highlighted

Hi Brad,

try this:

action-list type modify http X

  header rewrite response Location header-value "http://(.*url=)http://(.*)" replace "https://%1https://%2"

we wont be using ssl url rewrite in this case

Also we will be needing persistence rebalance applied through application parameter map and apply that under the VIP class

View solution in original post

Highlighted

Hi there,

Thanks for that, it helped a lot.  I ended up have to least the ssl url rewrite statement in there.  When it wasn't there the OWA worked well except when the password was wrong when logging in, it then redirected the person to a http:// site and not the https site.  With the SSL url rewrite statement in there it put me back to the https site which is good.

Thanks all for your help!

Brad

Content for Community-Ad
This widget could not be displayed.