Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6081
Views
0
Helpful
34
Replies

ACE Redirection to HTTPS by URL

jason.williams
Level 1
Level 1

‎09-29-2011 08:43 AM

Is it possible to configure the ACE to redirect a URL to HTTPS?  I don't want to redirect the entire site, only certain pages.

Thanks.

Jason

Labels:
0 Helpful
34 Replies 34

Surya ARBY
Level 4
Level 4
In response to jason.williams

‎10-07-2011 11:54 AM

Maybe by using some debug commands.

I don't think the "show policy-map / show class-map" will be sufficient there.

0 Helpful

Surya ARBY
Level 4
Level 4
In response to jason.williams

‎10-09-2011 01:27 PM

I read this post again, don't forget to make the backets [] when you have a dot [.] in your URL.

0 Helpful

Jorge Bejarano
Level 4
Level 4

‎10-07-2011 11:42 PM

Hello, Jason

I hope you are doing great.

I wonder if you can test this:

TEST 1)

class-map type http loadbalance match-any HTTPS_REDIRECT_BY_URL

  match http url http://website.url/Admin[.]aspx

  match http url http://website.url/Admin/.*

  match http url http://website.url/Host/.*

  match http url http://website.url/PatientsAndVisitors/GiftShop[.]aspx

  match http url http://website.url/PatientsAndVisitors/GiftShop/.*

  match http url http://website.url/PatientsAndVisitors/PrayerRequest[.]aspx

  match http url http://website.url/PatientsAndVisitors/PrayerRequest/.*

  match http url http://website.url/PatientsAndVisitors/SendanEcard[.]aspx

  match http url http://website.url/PatientsAndVisitors/SendanEcard/.*

  match http url http://website.url/Donate[.]aspx

  match http url http://website.url/Donate/.*

As per this doc:

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/classlb.html

When matching data strings, note that the period  (.) and question mark (?) characters do not have a literal meaning in  regular expressions. Use brackets ([]) to match these symbols (for  example, enter www[.]xyz[.]com instead of www.xyz.com). You can also use  a backslash (\) to escape a dot (.) or a question mark (?).

If the situation persists then you can try to break it down like this:

TEST 2)

class-map type http loadbalance match-any HTTPS_REDIRECT_BY_URL_1

  match http url http://website.url/Admin[.]aspx

class-map type http loadbalance match-any HTTPS_REDIRECT_BY_URL_2

  match http url http://website.url/Admin/.*

And so on with the rest...

Then you can try to match them like below and at least you should have a better idea about which ones are failing or not, then you can focus on the ones which are failing:

policy-map type loadbalance http first-match PM_WEBFARM_HTTPS_REDIRECT_BY_URL

  class HTTPS_REDIRECT_BY_URL_1

    sticky-serverfarm WEBFARM

  class HTTPS_REDIRECT_BY_URL_2

    sticky-serverfarm WEBFARM

  class class-default

    sticky-serverfarm WEBFARM

Hope this helps!!!

JORGE

0 Helpful

parveesm123
Level 1
Level 1
In response to Jorge Bejarano

‎10-08-2011 08:23 PM

Jason,

do as follows it will work for sure. This will work cent percentage sure. because i am using the same in my environment and it works smoothly. match urls as follows and let me know the result. after every match word put " /*.*"

  3 match http url /Admin/*.*

  4 match http url /Host/*.*

  6 match http url /PatientsAndVisitors/GiftShop/*.*

8 match http url /PatientsAndVisitors/PrayerRequest/*.*

10 match http url /PatientsAndVisitors/SendanEcard/*.*

12 match http url /Donate/*.*

-Parvees

0 Helpful

parveesm123
Level 1
Level 1
In response to parveesm123

‎10-09-2011 08:19 PM

Hi Jason,

Did you tested the above

thanks.

-Parvees

0 Helpful

jason.williams
Level 1
Level 1
In response to parveesm123

‎10-10-2011 11:21 AM

3 match http url /Admin/*.*

4 match http url /Host/*.*

6 match http url /PatientsAndVisitors/GiftShop/*.*

8 match http url /PatientsAndVisitors/PrayerRequest/*.*

10 match http url /PatientsAndVisitors/SendanEcard/*.*

12 match http url /Donate/*.*

Unfortunately this won't work for our needs for a few reasons.  Mainly, it misses the main pages.

For example, 3 match http url /Admin/*.* may cover everything under the Admin directory, but it won't cover the Admin.aspx page itself.

0 Helpful

parveesm123
Level 1
Level 1
In response to jason.williams

‎10-10-2011 09:17 PM

Hi jason,

I have done this and accomplished the tasks after struggling a lot

2 match http url /ibe/deliveryOptions/*.* ( this works only for /ibe/deliveryoptions.aspx)

3 match http url /ibe/passengerDetails/*.* (this works only for /ibe/passengerdetails.aspx)

I didnt get the point you are highlighting here.. you have header/admin.aspx and also header/admin/xxx.xxx ?

is it this way?

-Parvees

0 Helpful

jason.williams
Level 1
Level 1
In response to parveesm123

‎10-11-2011 05:52 AM

Parvees,

We have a single page, header/admin.aspx that needs to be redirected and we have a directory called admin (header/admin/web.page) that also needs to be redirected.

For example:

  5 match http url /PatientsAndVisitors/GiftShop[.]aspx

  6 match http url /PatientsAndVisitors/GiftShop/.*

Both the GiftShop.aspx page and everything under the GiftShop directory needs to be secured.

I'll test out your suggestion and see what happens.

Thanks.

Jason

0 Helpful

jason.williams
Level 1
Level 1
In response to parveesm123

‎10-11-2011 06:05 AM

This configuration:

  3 match http url /Admin/*.*

  4 match http url /Host/.*

  6 match http url /PatientsAndVisitors/GiftShop/*.*

  8 match http url /PatientsAndVisitors/PrayerRequest/*.*

  10 match http url /PatientsAndVisitors/SendanEcard/*.*

  12 match http url /Donate/*.*

  13 match http url /login/*.*

Didn't work.  Neither the main page (Donate.aspx) nor the directory (/Donate/) would redirect to https.  And there were zero hits when I ran sh service-policy url-summary.

0 Helpful

jason.williams
Level 1
Level 1
In response to Jorge Bejarano

‎10-10-2011 11:19 AM

Jorge,

This didn't work.  Also, the document you linked to is for version A3, we're still on A2.  Plus, unless I'm reading it wrong, I can't upgrade to A3 because we're using ACE20 modules.

I'm not sure if it's a software version thing.  With this configuration, if I run

sh service-policy CLIENTSIDE_VIPS url-summary, I get 0 hits.

0 Helpful

jason.williams
Level 1
Level 1

‎10-10-2011 11:28 AM

Here's where I have some inconsistencies:

    match http url /Admin.aspx                                                                hit: 0

    match http url /Admin/.*                                                                     hit: 0

    match http url /Host/.*                                                                       hit: 0

    match http url /PatientsAndVisitors/GiftShop.aspx                               hit: 1

    match http url /PatientsAndVisitors/GiftShop/.*                                    hit: 0

    match http url /PatientsAndVisitors/PrayerRequest.aspx                      hit: 1

    match http url /PatientsAndVisitors/PrayerRequest/.*                           hit: 0

    match http url /PatientsAndVisitors/SendanEcard.aspx                        hit: 0

    match http url /PatientsAndVisitors/SendanEcard/.*                             hit: 0

    match http url /Donate.aspx                                                               hit: 1

    match http url /Donate/.*                                                                    hit: 1

    match http url /login.aspx                                                                  hit: 0

This configuration doesn't work consistently.  As you can see by the hit counts, it does work.  Sometimes.

For example, if I go to the Donate.aspx page.  It worked the first time and gave me 1 hit.  Then it seemed to work everytime, but the hit count never increased.

I then cleared my IE history, cache and cookies and tried again.  Now the same Donate.aspx page is not redirecting at all.  I just get HTTP.

One other thing I just thought of is the sticky.  I have it configured to use the source address.

Could this cause any issues?  Should I not use a sticky in this case or maybe a different type?

Thanks.

Jason

0 Helpful

chrhiggi
Level 3
Level 3
In response to jason.williams

‎10-10-2011 12:10 PM

Jason-

  Based on the thread - I would take a stab at guessing that you need persistance-rebalance configured under your HTTP pparameter map.  Give that a shot and let me know how it goes.

If it doesn't work - grab a "show stat http" before and after testing so we can see if there are any obvious errors with HTTP compliance/parse length, etc.

Regards,

Chris

0 Helpful

Surya ARBY
Level 4
Level 4
In response to chrhiggi

‎10-10-2011 12:46 PM

Jason > could you put all the dots describing absolute pages into brackets as what I posted before ?

Christopher > I've always believed that when using L7 class-map related to http url / header analysis, persistence rebalance was enabled by default in the background regarding this particular class-map, at least this is what the doc of the ACE 4710 says.

0 Helpful

chrhiggi
Level 3
Level 3
In response to Surya ARBY

‎10-10-2011 12:58 PM

Surya-

  That is true of the appliance from the very first version of code, however, different story on the module.  The default setting is off on the module.

You can issue "show parameter-map" on the CLI and check the output.

Regards,

Chris

0 Helpful

Surya ARBY
Level 4
Level 4
In response to chrhiggi

‎10-10-2011 01:00 PM

ok, I didn't know it was different on the module

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card