Solved: ACE module SSL url rewrite and path rewrite

bmcginn · ‎02-24-2011

Hi all,

I'm hoping some of you helpful people on this forum can guide me or suggest a solution to a problem I'm faced with.

I am currently load balancing exchange 2010 traffic via an ACE module. Software version is A2(3.3). I have most parts of it working fine however I am having an issue when it comes to SSL termination for Outlook Web Access (OWA).

The problem comes down to a HTTP header (field is location). I have configured an action list to re-write the SSL pure URL as per page 96 of the "Cisco Application Control Engine Module SSL Configuration Guide". example:

ssl url rewrite location bnecas\.mycompany\.com sslport 443

That part works, the http header location field that comes back from the GET request is changed to https://cas.mycompany.com which is great. However, in addition to that url, there is also a path or something following that part. The actual string that is returned is:

https://cas.mycompany.com/owa/auth/logon.aspx?url=http://cas.mycompany.com/owa/&reason=0

The first bit of it, (https://cas.mycompany.com) is changed by the ssl url rewrite command, however the last part (http://cas.mycompany.com/owa/&reason=0) isn't changed.

This is where I've been trying to get the http Header Rewrite command to do something. I don't know if it can work in conjunction with the ssl url rewrite function however with the ssl rewrite function it seems it can't change bits of the string that aren't the pure URL at the front.

The end result is that while I have an SSL connection to the OWA login page, when I do login to OWA it reverts back to HTTP. I'm fairly sure it is because of the last part of the location string above. Is there a way to change that location string to do the following:

1. change the first part of the string to be https://cas.mycompany.com (like the ssl url rewrite function)

2. change the last part of the location string to put https in there instead of http

Ideally I would love to have this string

http://cas.mycompany.com/owa/auth/logon.aspx?url=http://cas.mycompany.com/owa/&reason=0

replaced with this one

https://cas.mycompany.com/owa/auth/logon.aspx?url=https://cas.mycompany.com/owa/&reason=0

I had originally tried the following in the action list:

header rewrite response location header-value "(owa/auth/logon\.aspx\?url=)http(://bnecas\.thiess\.aus/owa/&reason=0)" replace "%1https%2"

ssl url rewrite location bnecas\.mycompany\.com sslport 443

but it didn't work. I'm probably screwing up the regex somewhere however there doesn't seem to be very clear examples anywhere I can find.

Any help will be greatly appreciated and of course I will be sure to rate every post that responds to my plea for help.

Brad

kaquresh · ‎03-09-2011

Hi Brad,

try this:

action-list type modify http X

header rewrite response Location header-value "http://(.*url=)http://(.*)" replace "https://%1https://%2"

we wont be using ssl url rewrite in this case

Also we will be needing persistence rebalance applied through application parameter map and apply that under the VIP class

View solution in original post

j0hnr1ch · ‎02-25-2011

Brad,

I have been trying to resolve a similar issue all week.

I found the following action solved it for me.

action-list type modify http HTTP-To-HTTPS
header rewrite response location header-value ".*http*" replace "%1https%2"
ssl url rewrite location ".*"

The first rewrite looks for any HTTP within the location string, and to be sure it's all been caught I followed up with the SSL rewrite.

John

bmcginn · ‎02-25-2011

HI John,

Thanks for the tip. I've put that in however it still seems to be returning this in the location field:

https://cas.mycompany.com/owa/auth/logon.aspx?url=http://cas.mycompany/owa/&reason=0

The action list I have input is:

action-list type modify http URL_REWRITE
header rewrite response location header-value ".*http.*" replace "%1https%2"
ssl url rewrite location "cas\.mycompany\.com"

Any other tips that I might be able to try?

Brad

Surya ARBY · ‎02-26-2011

what about something like this :

action-list type modify http URL_REWRITE
header rewrite response location header-value ".*http.*http.*" replace "%1https%2https%3"
ssl url rewrite location "cas\.mycompany\.com"

bmcginn · ‎02-28-2011

Hi Surya,

I've put that in the config now and I'm now seeing this in the location field:

cas.mycompany.comhttpsowa/auth/logon.aspx?url=http://cas.mycompany.com/owa/&reason=0https%3

Any other ideas to try?

Thanks for the help so far.

Brad

bmcginn · ‎02-28-2011

HI John,

Thanks for the tip. I've put that in however it still seems to be returning this in the location field:

https://cas.mycompany.com/owa/auth/logon.aspx?url=http://cas.mycompany.com/owa/&reason=0

The action list I have input is:

action-list type modify http URL_REWRITE
header rewrite response location header-value ".*http.*" replace "%1https%2"
ssl url rewrite location "*"

When I input it, I received the following in the location field:

http://cas.mycompany.com/owa/auth/logon.aspx?url=http://cas.mycompany.com/owa/&reason=0

I'm guessing the SSL URL rewrite is not catching the main domain name, however that doesn't explain why the http field in the string isn't getting caught.

Any other tips that I might be able to try?

Brad

j0hnr1ch · ‎03-01-2011

Hi Brad,

I notice that you are adding a period after the 'http' in the header rewrite search string and missing a period in the SSL rewrite search string. Did you try the exact syntax I put in my first reply?

John

bmcginn · ‎03-01-2011

Hi John,

sorry about that, it was a typo..

action-list type modify http URL_REWRITE
header rewrite response location header-value ".*http*" replace "%1https%2"
ssl url rewrite location ".*"

I copied and pasted the header rewrite and ssl rewrite bits directly into the ACE from your post however i typed it into the forum.. Apologies.

I'm not having much luck with this am I.

I'm still having the issue, I login fine to OWA at the https page, however as soon as I login it reverts back to http.

Any last words of help before I log a case?

Thanks again for you time.

Brad

j0hnr1ch · ‎03-07-2011

Hi Brad,

Since you know the posting variable name 'url', you should be able to search for this in the rewrite statement. I'm not sure if this forces the action-list to exit leaving your ssl rewrite untouched, which is why I suggest dropping the ssl rewrite and try catching it all in one regex search string.

header rewrite response location header-value (.*http://cas\.mycompany\.com*)(.*url=http*) replace %1https://cas\.mycompany\.com%2url=https

I'm sure there are some AND OR expressions available to us somewhere!

John

kaquresh · ‎03-09-2011

Hi Brad,

try this:

action-list type modify http X

header rewrite response Location header-value "http://(.*url=)http://(.*)" replace "https://%1https://%2"

we wont be using ssl url rewrite in this case

Also we will be needing persistence rebalance applied through application parameter map and apply that under the VIP class

bmcginn · ‎03-10-2011

Hi there,

Thanks for that, it helped a lot. I ended up have to least the ssl url rewrite statement in there. When it wasn't there the OWA worked well except when the password was wrong when logging in, it then redirected the person to a http:// site and not the https site. With the SSL url rewrite statement in there it put me back to the https site which is good.

Thanks all for your help!

Brad