01-17-2012 04:26 AM
Hello ,
I have an ACE 4710 version A5.1 in one armed mode load balancing three web servers and it terminating SSL.
i am trying to redirect "http://domain.com" to "http://www.domain.com" and it is working
i am also redirecting https://domain.com to https://www.domain.com , but in this case i am facing a problem where the ACE is sending the certificate (binded to the domain www.domain.com) before redirecting.
The browser is showing certificate error (when entering "https://domain.com")and after accept and continue the certificate, the browser is redirected to https://www.domain.com and correct and signed certificate shows up.
The question is how to tell the ACE to perform the redirect before the sending the certificate.????
Kindly i need some help in this issue,
Regards,
George
rserver redirect CNAME
webhost-redirection https://www.domain.com/%p
inservice
rserver redirect CNAME80
webhost-redirection http://www.domain.com/%p
inservice
serverfarm redirect CNAME
rserver CNAME
inservice
serverfarm redirect CNAME80
rserver CNAME80
inservice
serverfarm host WEB-Farm
rserver WEB-1 80
conn-limit max 4000000 min 4000000
probe url-probeweb-1
inservice
rserver WEB-2 80
conn-limit max 4000000 min 4000000
probe url-probeweb-2
inservice
rserver WEB-3 80
conn-limit max 4000000 min 4000000
probe url-probeweb-3
inservice
action-list type modify http urlrewrite
ssl url rewrite location "www\.domain\.com
class-map match-any CLASS-WEB
2 match virtual-address 192.168.11.140 tcp eq https
class-map match-any CLASS-WEB2
2 match virtual-address 192.168.11.140 tcp eq www
class-map type http loadbalance match-any Naked
2 match http header Host header-value "domain.com"
policy-map type loadbalance first-match L7_SSL-TERM_POLICY
class Naked
serverfarm CNAME
action urlrewrite
class class-default
sticky-serverfarm COOKIE-STICKY
action urlrewrite
policy-map type loadbalance first-match WEB2
class Naked
serverfarm CNAME80
class class-default
sticky-serverfarm COOKIE-STICKY
policy-map multi-match L4-VIP_POLICY
class CLASS-WEB2
loadbalance vip inservice
loadbalance policy WEB2
loadbalance vip icmp-reply
nat dynamic 1 vlan 6
connection advanced-options TCP_PARAM
policy-map multi-match L4_SSL-VIP_POLICY
class CLASS-WEB
loadbalance vip inservice
loadbalance policy L7_SSL-TERM_POLICY
loadbalance vip icmp-reply
nat dynamic 1 vlan 6
ssl-proxy server SSL_PROXY
connection advanced-options TCP_PARAM
Solved! Go to Solution.
01-17-2012 04:54 AM
Hi
Everything depends on what you need to check. If you can make a decision about sending redirect based on L4 information - no problem, just create L4 class map and default class in L7 policy.
If you need L7 information (e.g. inormation which is in HTTP header) firstly you need to setup a connection with client(TCP) and then get this HTTP request and check header. If you have HTTPS - you need to setup TCP conneciton, then SSL and only then client will send you some HTTP which you will be able to chek.
Therefore in your case it's not going to work as you're checking some field in HTTP header and client will never start sending HTTP before TCP and SSL is established. I think there is no easy solution on ACE to solve your problem (as I understand the problem is that you have certificate for www.domain.com but not for domain.com)
The best way, as was mention in some other topic, is to get wilecard certificate for *.domain.com.
Hope I've clarified situation.
01-17-2012 04:54 AM
Hi
Everything depends on what you need to check. If you can make a decision about sending redirect based on L4 information - no problem, just create L4 class map and default class in L7 policy.
If you need L7 information (e.g. inormation which is in HTTP header) firstly you need to setup a connection with client(TCP) and then get this HTTP request and check header. If you have HTTPS - you need to setup TCP conneciton, then SSL and only then client will send you some HTTP which you will be able to chek.
Therefore in your case it's not going to work as you're checking some field in HTTP header and client will never start sending HTTP before TCP and SSL is established. I think there is no easy solution on ACE to solve your problem (as I understand the problem is that you have certificate for www.domain.com but not for domain.com)
The best way, as was mention in some other topic, is to get wilecard certificate for *.domain.com.
Hope I've clarified situation.
01-17-2012 10:22 AM
Hello
Thank you for your support. It is clear now.
Besides the wildcard Certificate, is there any workaround or configuration that i can perform on the ACE?
Regards,
George
01-17-2012 01:42 PM
Hi George
One thing which is comming first (not sure if it's the best approach) you can try to configure your DNS in a way that
domain.com and www.domain.com have different IPs. E.g. domain.com has IP = X.X.X.X and www.domain.com has Y.Y.Y.Y
Than you will configure L4 class map on ace for ip X.X.X.X and port 443 that it sends redirection to www.domain.com, and one more L4 class for IP Y.Y.Y.Y to perform ssl offload and actually provide access to your site. In this case you won't need L7 information to make a decision.
The drowback of this solution is that you need one more IP.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: