Solved: ACE redirect before SSL

gaboughanem · ‎01-17-2012

Hello ,

I have an ACE 4710 version A5.1 in one armed mode load balancing three web servers and it terminating SSL.

i am trying to redirect "http://domain.com" to "http://www.domain.com" and it is working

i am also redirecting https://domain.com to https://www.domain.com , but in this case i am facing a problem where the ACE is sending the certificate (binded to the domain www.domain.com) before redirecting.

The browser is showing certificate error (when entering "https://domain.com")and after accept and continue the certificate, the browser is redirected to https://www.domain.com and correct and signed certificate shows up.

The question is how to tell the ACE to perform the redirect before the sending the certificate.????

Kindly i need some help in this issue,

Regards,

George

rserver redirect CNAME
webhost-redirection https://www.domain.com/%p
inservice
rserver redirect CNAME80
webhost-redirection http://www.domain.com/%p
inservice

serverfarm redirect CNAME
rserver CNAME
    inservice
serverfarm redirect CNAME80
rserver CNAME80
    inservice
serverfarm host WEB-Farm
rserver WEB-1 80
    conn-limit max 4000000 min 4000000
    probe url-probeweb-1
    inservice
rserver WEB-2 80
    conn-limit max 4000000 min 4000000
    probe url-probeweb-2
    inservice
rserver WEB-3 80
    conn-limit max 4000000 min 4000000
    probe url-probeweb-3
    inservice

action-list type modify http urlrewrite
ssl url rewrite location "www\.domain\.com

class-map match-any CLASS-WEB
2 match virtual-address 192.168.11.140 tcp eq https
class-map match-any CLASS-WEB2
2 match virtual-address 192.168.11.140 tcp eq www
class-map type http loadbalance match-any Naked
2 match http header Host header-value "domain.com"

policy-map type loadbalance first-match L7_SSL-TERM_POLICY
class Naked
    serverfarm CNAME
    action urlrewrite
class class-default
    sticky-serverfarm COOKIE-STICKY
    action urlrewrite
policy-map type loadbalance first-match WEB2
class Naked
    serverfarm CNAME80
class class-default
    sticky-serverfarm COOKIE-STICKY

policy-map multi-match L4-VIP_POLICY
class CLASS-WEB2
    loadbalance vip inservice
    loadbalance policy WEB2
    loadbalance vip icmp-reply
    nat dynamic 1 vlan 6
    connection advanced-options TCP_PARAM
policy-map multi-match L4_SSL-VIP_POLICY
class CLASS-WEB
    loadbalance vip inservice
    loadbalance policy L7_SSL-TERM_POLICY
    loadbalance vip icmp-reply
    nat dynamic 1 vlan 6
    ssl-proxy server SSL_PROXY
    connection advanced-options TCP_PARAM

Borys Berlog · ‎01-17-2012

Hi

Everything depends on what you need to check. If you can make a decision about sending redirect based on L4 information - no problem, just create L4 class map and default class in L7 policy.

If you need L7 information (e.g. inormation which is in HTTP header) firstly you need to setup a connection with client(TCP) and then get this HTTP request and check header. If you have HTTPS - you need to setup TCP conneciton, then SSL and only then client will send you some HTTP which you will be able to chek.

Therefore in your case it's not going to work as you're checking some field in HTTP header and client will never start sending HTTP before TCP and SSL is established. I think there is no easy solution on ACE to solve your problem (as I understand the problem is that you have certificate for www.domain.com but not for domain.com)

The best way, as was mention in some other topic, is to get wilecard certificate for *.domain.com.

Hope I've clarified situation.

View solution in original post

Borys Berlog · ‎01-17-2012

Hi

Everything depends on what you need to check. If you can make a decision about sending redirect based on L4 information - no problem, just create L4 class map and default class in L7 policy.

If you need L7 information (e.g. inormation which is in HTTP header) firstly you need to setup a connection with client(TCP) and then get this HTTP request and check header. If you have HTTPS - you need to setup TCP conneciton, then SSL and only then client will send you some HTTP which you will be able to chek.

Therefore in your case it's not going to work as you're checking some field in HTTP header and client will never start sending HTTP before TCP and SSL is established. I think there is no easy solution on ACE to solve your problem (as I understand the problem is that you have certificate for www.domain.com but not for domain.com)

The best way, as was mention in some other topic, is to get wilecard certificate for *.domain.com.

Hope I've clarified situation.

gaboughanem · ‎01-17-2012

Hello

Thank you for your support. It is clear now.

Besides the wildcard Certificate, is there any workaround or configuration that i can perform on the ACE?

Regards,

George

Borys Berlog · ‎01-17-2012

Hi George

One thing which is comming first (not sure if it's the best approach) you can try to configure your DNS in a way that

domain.com and www.domain.com have different IPs. E.g. domain.com has IP = X.X.X.X and www.domain.com has Y.Y.Y.Y

Than you will configure L4 class map on ace for ip X.X.X.X and port 443 that it sends redirection to www.domain.com, and one more L4 class for IP Y.Y.Y.Y to perform ssl offload and actually provide access to your site. In this case you won't need L7 information to make a decision.

The drowback of this solution is that you need one more IP.