Solved: ACE server response issue

RENE SEGESSENMANN · ‎11-21-2012

Hi all,

I have a issue with a ACE configuration which terminate https traffic and load balance the client request to the real servers.

All working fine, with one exception. If the client requests for the URL "https://www.myservice.com/content/" the connection working perfect.

If the request are "https://www.myservice.com/content" (missing slash on the end), the real servers sending a redirect back to the client.

The redirect is "http://www.myservice.com/content/".

How can I absorb the request to get not http but https.

Any suggestions are welcome.

Regards,

Rene

Kanwaljeet Singh · ‎11-23-2012

Hi Rene,

Everything looks good. Can you remove this parameter map and try again?

appl-parameter generic advanced-options GEVER-UVEK-SSLID-PARAMETER

Regards,

Kanwal

View solution in original post

Kanwaljeet Singh · ‎11-21-2012

Hi,

You can modify the location header for 301/302 redirects on ACE using action-lists.

header rewrite {request | response | both} header_name header-value expression replace pattern

Example:

header rewrite response location header-value http://abc[.]com(.*)" replace "%1https://abc.com%2"

Let me know if that works for you.

Regards,

Kanwal

RENE SEGESSENMANN · ‎11-23-2012

Hi Kanwal,

I have tried your solution today without any success.

The configuration are simple, but the result are always the same.

client browser---------https--------ACE-------http---------rserver

If the client use the URL: https://this.is.a.request.com/dir/

All will working fine. But if the user us the URL: https://this.is.a.request.com/dir <-- missing slash

The server response back to the client are: http://this.is.a.request.com/dir/ <-- respond via http not https

But the ACE are not configured to response to http.

I used also your recommendation, but without any success.

I have tried the function with “ssl url rewrite” but this solution did not work.

My I am absolutely wrong with my way, but you will find the configuration below, which I have configured. Probably you have a solution for me.

Regards,

Rene

probe http PROBE-GENERIC-HTTP

description HTTP Probe for GEVER-UVEK-PR Servers

port 80

interval 20

faildetect 2

passdetect interval 25

passdetect count 2

receive 3

request method get url /iisstart.htm

expect status 200 200

!

rserver host SERVER-1

description uvek-s6201-235 (GEVER-UVEK-PR)

ip address 10.135.13.235

inservice

rserver host SERVER-2

description uvek-s6201-28 (GEVER-UVEK-PR)

ip address 10.135.14.28

inservice

rserver host SERVER-3

description uvek-s6202-116 (GEVER-UVEK-PR)

ip address 10.135.13.116

inservice

!

serverfarm host GEVER-UVEK-PR-FARM

predictor leastconns

probe PROBE-GENERIC-HTTP

rserver SERVER-1 80

inservice

rserver SERVER-2 80

inservice

rserver SERVER-3 80

!

parameter-map type generic GEVER-UVEK-SSLID-PARAMETER

set max-parse-length 70

parameter-map type ssl SSL_CIPHERS

cipher RSA_WITH_RC4_128_MD5

cipher RSA_WITH_RC4_128_SHA

cipher RSA_WITH_DES_CBC_SHA

cipher RSA_WITH_AES_128_CBC_SHA

cipher RSA_WITH_AES_256_CBC_SHA

!

sticky http-cookie ACE-UVEK-COOKIE GEVER-UVEK-PR-COOKIE

cookie insert browser-expire

serverfarm GEVER-UVEK-PR-FARM

!

action-list type modify http HTTP2HTTPS_REWRITE

ssl url rewrite location "this\..*"

!

ssl-proxy service SSL-GEVER-UVEK-FRONTEND

key gever.key

cert gever.crt

ssl advanced-options SSL_CIPHERS

!

class-map match-all VIP-GEVER-UVEK-PR

2 match virtual-address a.b.c.67 tcp eq https

!

policy-map type loadbalance http first-match GEVER-UVEK-PR-HTTP-POLICY

class ANY-CONTENT

sticky-serverfarm GEVER-UVEK-PR-COOKIE

action HTTP2HTTPS_REWRITE

!

policy-map multi-match CLIENT-VIPs

class VIP-GEVER-UVEK-PR

loadbalance vip inservice

loadbalance policy GEVER-UVEK-PR-HTTP-POLICY

loadbalance vip icmp-reply active

nat dynamic 1 vlan 1583

appl-parameter generic advanced-options GEVER-UVEK-SSLID-PARAMETER

ssl-proxy server SSL-GEVER-UVEK-FRONTEND

interface vlan 1583

description VLAN EVD-Prod (inside Produktion neues Segment)

ip address 10.135.14.11 255.255.254.0

alias 10.135.14.10 255.255.254.0

peer ip address 10.135.14.12 255.255.254.0

access-group input EVERYONE

nat-pool 1 10.135.15.240 10.135.15.240 netmask 255.255.255.255 pat

service-policy input REMOTE-MGMT

no shutdown

interface vlan 1584

description VLAN EVD-LB (outside)

ip address a.b.c.74 255.255.255.0

alias a.b.c.73 255.255.255.0

peer ip address a.b.c.75 255.255.255.0

access-group input EVERYONE

service-policy input CLIENT-VIPs

no shutdown

ip route 0.0.0.0 0.0.0.0 a.b.c.1

Cesar Roque · ‎11-23-2012

Hi Rene,

Try this one:

action-list type modify http REWRITE

ssl url rewrite location .*

policy-map type loadbalance http first-match GEVER-UVEK-PR-HTTP-POLICY

class ANY-CONTENT

sticky-serverfarm GEVER-UVEK-PR-COOKIE

action REWRITE

---------------------
Cesar R
ANS Team

--------------------- Cesar R ANS Team

RENE SEGESSENMANN · ‎11-23-2012

Hi Cesar,

Thank you for your answer.

I tryed the wildcard entry also, without any success.

I have tried to figure out the difference between policy-map type loadbalance http first-match and policy-map type loadbalance first-match.

I used the example from Cisco for my implementation.

https://supportforums.cisco.com/docs/DOC-17073

The difference between the configurations are in the policy-map for L7-loadbalancing. I use "loadbalance http first-match" and the example from Cisco use "loadbalance first-match"

Any suggestion for me.

Regards,

Rene

Kanwaljeet Singh · ‎11-23-2012

Hi Rene,

Everything looks good. Can you remove this parameter map and try again?

appl-parameter generic advanced-options GEVER-UVEK-SSLID-PARAMETER

Regards,

Kanwal

RENE SEGESSENMANN · ‎11-26-2012

Hi Kanwal,

I removed the parameter map from the policy-map multi-match.

After this the configuration work as desired.

Thank's for support and best regards,

Rene

Kanwaljeet Singh · ‎11-26-2012

Hi Rene,

You are most welcome. If you would like to use this parameter map you can increase the parse length upto 65535.

Regards,

Kanwal