- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-21-2012 03:37 AM
Hi all,
I have a issue with a ACE configuration which terminate https traffic and load balance the client request to the real servers.
All working fine, with one exception. If the client requests for the URL "https://www.myservice.com/content/" the connection working perfect.
If the request are "https://www.myservice.com/content" (missing slash on the end), the real servers sending a redirect back to the client.
The redirect is "http://www.myservice.com/content/".
How can I absorb the request to get not http but https.
Any suggestions are welcome.
Regards,
Rene
Solved! Go to Solution.
- Labels:
-
Application Networking
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-23-2012 11:21 PM
Hi Rene,
Everything looks good. Can you remove this parameter map and try again?
appl-parameter generic advanced-options GEVER-UVEK-SSLID-PARAMETER
Regards,
Kanwal
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-21-2012 05:04 AM
Hi,
You can modify the location header for 301/302 redirects on ACE using action-lists.
header rewrite {request | response | both} header_name header-value expression replace pattern
Example:
header rewrite response location header-value http://abc[.]com(.*)" replace "%1https://abc.com%2"
Let me know if that works for you.
Regards,
Kanwal
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-23-2012 05:50 AM
Hi Kanwal,
I have tried your solution today without any success.
The configuration are simple, but the result are always the same.
client browser---------https--------ACE-------http---------rserver
If the client use the URL: https://this.is.a.request.com/dir/
All will working fine. But if the user us the URL: https://this.is.a.request.com/dir <-- missing slash
The server response back to the client are: http://this.is.a.request.com/dir/ <-- respond via http not https
But the ACE are not configured to response to http.
I used also your recommendation, but without any success.
I have tried the function with “ssl url rewrite” but this solution did not work.
My I am absolutely wrong with my way, but you will find the configuration below, which I have configured. Probably you have a solution for me.
Regards,
Rene
probe http PROBE-GENERIC-HTTP
description HTTP Probe for GEVER-UVEK-PR Servers
port 80
interval 20
faildetect 2
passdetect interval 25
passdetect count 2
receive 3
request method get url /iisstart.htm
expect status 200 200
!
rserver host SERVER-1
description uvek-s6201-235 (GEVER-UVEK-PR)
ip address 10.135.13.235
inservice
rserver host SERVER-2
description uvek-s6201-28 (GEVER-UVEK-PR)
ip address 10.135.14.28
inservice
rserver host SERVER-3
description uvek-s6202-116 (GEVER-UVEK-PR)
ip address 10.135.13.116
inservice
!
serverfarm host GEVER-UVEK-PR-FARM
predictor leastconns
probe PROBE-GENERIC-HTTP
rserver SERVER-1 80
inservice
rserver SERVER-2 80
inservice
rserver SERVER-3 80
!
parameter-map type generic GEVER-UVEK-SSLID-PARAMETER
set max-parse-length 70
parameter-map type ssl SSL_CIPHERS
cipher RSA_WITH_RC4_128_MD5
cipher RSA_WITH_RC4_128_SHA
cipher RSA_WITH_DES_CBC_SHA
cipher RSA_WITH_AES_128_CBC_SHA
cipher RSA_WITH_AES_256_CBC_SHA
!
sticky http-cookie ACE-UVEK-COOKIE GEVER-UVEK-PR-COOKIE
cookie insert browser-expire
serverfarm GEVER-UVEK-PR-FARM
!
action-list type modify http HTTP2HTTPS_REWRITE
ssl url rewrite location "this\..*"
!
ssl-proxy service SSL-GEVER-UVEK-FRONTEND
key gever.key
cert gever.crt
ssl advanced-options SSL_CIPHERS
!
class-map match-all VIP-GEVER-UVEK-PR
2 match virtual-address a.b.c.67 tcp eq https
!
policy-map type loadbalance http first-match GEVER-UVEK-PR-HTTP-POLICY
class ANY-CONTENT
sticky-serverfarm GEVER-UVEK-PR-COOKIE
action HTTP2HTTPS_REWRITE
!
policy-map multi-match CLIENT-VIPs
class VIP-GEVER-UVEK-PR
loadbalance vip inservice
loadbalance policy GEVER-UVEK-PR-HTTP-POLICY
loadbalance vip icmp-reply active
nat dynamic 1 vlan 1583
appl-parameter generic advanced-options GEVER-UVEK-SSLID-PARAMETER
ssl-proxy server SSL-GEVER-UVEK-FRONTEND
interface vlan 1583
description VLAN EVD-Prod (inside Produktion neues Segment)
ip address 10.135.14.11 255.255.254.0
alias 10.135.14.10 255.255.254.0
peer ip address 10.135.14.12 255.255.254.0
access-group input EVERYONE
nat-pool 1 10.135.15.240 10.135.15.240 netmask 255.255.255.255 pat
service-policy input REMOTE-MGMT
no shutdown
interface vlan 1584
description VLAN EVD-LB (outside)
ip address a.b.c.74 255.255.255.0
alias a.b.c.73 255.255.255.0
peer ip address a.b.c.75 255.255.255.0
access-group input EVERYONE
service-policy input CLIENT-VIPs
no shutdown
ip route 0.0.0.0 0.0.0.0 a.b.c.1
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-23-2012 02:18 PM
Hi Rene,
Try this one:
action-list type modify http REWRITE
ssl url rewrite location .*
policy-map type loadbalance http first-match GEVER-UVEK-PR-HTTP-POLICY
class ANY-CONTENT
sticky-serverfarm GEVER-UVEK-PR-COOKIE
action REWRITE
---------------------
Cesar R
ANS Team
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-23-2012 03:02 PM
Hi Cesar,
Thank you for your answer.
I tryed the wildcard entry also, without any success.
I have tried to figure out the difference between policy-map type loadbalance http first-match and policy-map type loadbalance first-match.
I used the example from Cisco for my implementation.
https://supportforums.cisco.com/docs/DOC-17073
The difference between the configurations are in the policy-map for L7-loadbalancing. I use "loadbalance http first-match" and the example from Cisco use "loadbalance first-match"
Any suggestion for me.
Regards,
Rene
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-23-2012 11:21 PM
Hi Rene,
Everything looks good. Can you remove this parameter map and try again?
appl-parameter generic advanced-options GEVER-UVEK-SSLID-PARAMETER
Regards,
Kanwal
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-26-2012 04:08 AM
Hi Kanwal,
I removed the parameter map from the policy-map multi-match.
After this the configuration work as desired.
Thank's for support and best regards,
Rene
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-26-2012 06:40 AM
Hi Rene,
You are most welcome. If you would like to use this parameter map you can increase the parse length upto 65535.
Regards,
Kanwal
