Hi Kanwal,

I have tried your solution today without any success.

The configuration are simple, but the result are always the same.

client browser---------https--------ACE-------http---------rserver

If the client use the URL: https://this.is.a.request.com/dir/

All will working fine. But if the user us the URL: https://this.is.a.request.com/dir <-- missing slash

The server response back to the client are: http://this.is.a.request.com/dir/ <-- respond via http not https

But the ACE are not configured to response to http.

I used also your recommendation, but without any success.

I have tried the function with “ssl url rewrite” but this solution did not work.

My I am absolutely wrong with my way, but you will find the configuration below, which I have configured. Probably you have a solution for me.

Regards,

Rene

probe http PROBE-GENERIC-HTTP

  description HTTP Probe for GEVER-UVEK-PR Servers

  port 80

  interval 20

  faildetect 2

  passdetect interval 25

  passdetect count 2

  receive 3

  request method get url /iisstart.htm

  expect status 200 200

!

rserver host SERVER-1

  description uvek-s6201-235 (GEVER-UVEK-PR)

  ip address 10.135.13.235

  inservice

rserver host SERVER-2

  description uvek-s6201-28 (GEVER-UVEK-PR)

  ip address 10.135.14.28

  inservice

rserver host SERVER-3

  description uvek-s6202-116 (GEVER-UVEK-PR)

  ip address 10.135.13.116

  inservice

!

serverfarm host GEVER-UVEK-PR-FARM

  predictor leastconns

  probe PROBE-GENERIC-HTTP

  rserver SERVER-1 80

    inservice

  rserver SERVER-2 80

    inservice

  rserver SERVER-3 80

!

parameter-map type generic GEVER-UVEK-SSLID-PARAMETER

  set max-parse-length 70

parameter-map type ssl SSL_CIPHERS

  cipher RSA_WITH_RC4_128_MD5

  cipher RSA_WITH_RC4_128_SHA

  cipher RSA_WITH_DES_CBC_SHA

  cipher RSA_WITH_AES_128_CBC_SHA

  cipher RSA_WITH_AES_256_CBC_SHA

!

sticky http-cookie ACE-UVEK-COOKIE GEVER-UVEK-PR-COOKIE

  cookie insert browser-expire

  serverfarm GEVER-UVEK-PR-FARM

!

action-list type modify http HTTP2HTTPS_REWRITE

  ssl url rewrite location "this\..*"

!

ssl-proxy service SSL-GEVER-UVEK-FRONTEND

  key gever.key

  cert gever.crt

  ssl advanced-options SSL_CIPHERS

!

class-map match-all VIP-GEVER-UVEK-PR

  2 match virtual-address a.b.c.67 tcp eq https

!

policy-map type loadbalance http first-match GEVER-UVEK-PR-HTTP-POLICY

  class ANY-CONTENT

    sticky-serverfarm GEVER-UVEK-PR-COOKIE

    action HTTP2HTTPS_REWRITE

!

policy-map multi-match CLIENT-VIPs

  class VIP-GEVER-UVEK-PR

    loadbalance vip inservice

    loadbalance policy GEVER-UVEK-PR-HTTP-POLICY

    loadbalance vip icmp-reply active

    nat dynamic 1 vlan 1583

    appl-parameter generic advanced-options GEVER-UVEK-SSLID-PARAMETER

    ssl-proxy server SSL-GEVER-UVEK-FRONTEND

interface vlan 1583

  description VLAN EVD-Prod (inside Produktion neues Segment)

  ip address 10.135.14.11 255.255.254.0

  alias 10.135.14.10 255.255.254.0

  peer ip address 10.135.14.12 255.255.254.0

  access-group input EVERYONE

  nat-pool 1 10.135.15.240 10.135.15.240 netmask 255.255.255.255 pat

  service-policy input REMOTE-MGMT

  no shutdown

interface vlan 1584

  description VLAN EVD-LB (outside)

  ip address a.b.c.74 255.255.255.0

  alias a.b.c.73 255.255.255.0

  peer ip address a.b.c.75 255.255.255.0

  access-group input EVERYONE

  service-policy input CLIENT-VIPs

  no shutdown

ip route 0.0.0.0 0.0.0.0 a.b.c.1

Hi Rene,

Try this one:

action-list type modify http REWRITE

  ssl url rewrite location .*

policy-map type loadbalance http first-match GEVER-UVEK-PR-HTTP-POLICY

  class ANY-CONTENT

    sticky-serverfarm GEVER-UVEK-PR-COOKIE

      action REWRITE

---------------------
Cesar R
ANS Team

Hi Cesar,

Thank you for your answer.

I tryed the wildcard entry also, without any success.

I have tried to figure out the difference between policy-map type loadbalance http first-match and policy-map type loadbalance first-match.

I used the example from Cisco for my implementation.

https://supportforums.cisco.com/docs/DOC-17073

The difference between the configurations are in the policy-map for L7-loadbalancing. I use "loadbalance http first-match" and the example from Cisco use "loadbalance first-match"

Any suggestion for me.

Regards,

Rene

Hi Kanwal,

I removed the parameter map from the policy-map multi-match.

After this the configuration work as desired.

Thank's for support and best regards,

Rene

Hi Rene,

You are most welcome. If you would like to use this parameter map you can increase the parse length upto 65535.

Regards,

Kanwal