Solved: ACE SSL termination with url rewrite/redirect

edgarfc254 · ‎10-18-2011

Setting up SSL termination for groupwise web access.

1. Clients to connect to the VIP with either HTTP or HTTPS (webmail.xyz.net & xyzgwacc.xyz.net).

2. Both should be redirected to https://xyzgwacc.xyz.net/gw/webacc

3. Connections from ACE to servers are on port 80 (http)

Problem:

Failing to translate client connection pointing to xyzgwacc.xyz.net to be translated to https://xyzgwacc.xyz.net/gw/webacc

I have tried the redirection on the server itself, but that also changes the url displayed on the client side. Instead of xyzgwacc.xyz.net it show the actual server.

Below is the sample config that I am using to try and make it work.

If client enters the full url (https://xyzgwacc.xyz.net/gw/webacc) it works but not https://xyzgwacc.xyz.net.

I can not seem to make my url rewrite do what I want it to do. I hope someone can point me in the right direction.

---------------------------------------------------------------

crypto chaingroup WEBACC-THWART-INT

cert thwart_intermediate.crt

cert gw_imaps_certInt.crt

probe icmp PING

interval 2

passdetect interval 2

passdetect count 1

rserver host S-NGW004

ip address 10.10.10.4

probe PING

inservice

rserver host S-NGW005

ip address 10.10.10.5

probe PING

inservice

serverfarm host GW-WA

description GW web access test

predictor hash address

rserver S-NGW014 80

inservice

rserver S-NGW015 80

inservice

action-list type modify http GWACC_urlrewrite

header rewrite response location header-value "\r" replace "gw\/webacc"

ssl-proxy service SSL-PROXY-GW-WEBACC

key gw_webacc_key.pem

cert gw_webacc_certsvr.crt

chaingroup WEBACC-THWART-INT

class-map match-all GW-WA-VIP

2 match virtual-address 10.10.10.10 tcp eq https

policy-map type loadbalance http first-match SLB-GW-WA

class class-default

serverfarm GW-WA

action GWACC_urlrewrite

policy-map multi-match CL-POL-GROUPWISE

description Client facing Policy for GW WA/IMAP/SMTP

class GW-WA-VIP

loadbalance vip inservice

loadbalance policy SLB-GW-WA

loadbalance vip icmp-reply

ssl-proxy server SSL-PROXY-GW-WEBACC

Surya ARBY · ‎10-19-2011

ACE supports only redirections (301 / 302).

URL rewrite is still not supported today.

View solution in original post

Surya ARBY · ‎10-18-2011

Check this example :

https://supportforums.cisco.com/thread/2079279

edgarfc254 · ‎10-19-2011

The example uses webhost redirection. I tried it before, the problem I heard with it was that, the url displayed on the client was having the server "address" instead of the VIP one.

The client should only be presented with the same address through out (that of the VIP), regardless of the actual server he gets connected.

Surya ARBY · ‎10-19-2011

ACE supports only redirections (301 / 302).

URL rewrite is still not supported today.

edgarfc254 · ‎10-19-2011

If I understand you well, does it mean an action-list of the form;

action-list type modify http urlrewrite

header rewrite response location header-value "xyzgwacc\.xyz\.net" replace "xyzgwacc\.xyz\.net\/gw\/webacc"

will not work.

Surya ARBY · ‎10-19-2011

What are you trying to acheive ? Is it L7 switching / URL rewriting or Header rewriting ?

Can you give us the full details of your architecture ? Do you run HTTP virtual hosts ?

edgarfc254 · ‎10-19-2011

I have two VMW servers providing Groupwise mail web access. To access ones mail, the browser should point at server1/gw/webacc or server2/gw/webacc through the ACE. The ACE should provide loadbalancing and ssl termination. (Only one certificate for the VIP on the ACE). The DNS entry of the VIP is, say xyzgwacc.xyz.net.

Needed to be archieved is, if one points brower to either http https on xyzgwacc.xyz.net, there should automatically be taken to https://xyzgwacc.xyz.net/gw/webacc.

It should not be apperent to the user which server the user is connecting to.

Implementing loadbalancing using 'rserver host' addresses in partly, fails short on appending the '/gw/webacc' on requests.

Using 'rserver redirect', falls short in that the actual server servicing the request appears on the client url.

What I need is a way that, if a client enters either webmail.xyz.net or xyzgwacc.xyz.net (without providing the full url, i.e https://xyzgwacc.xyz.net/gw/webacc) should see the connection made to https://xyzgwacc.xyz.net/gw/webacc despite the server servicing the request.

Surya ARBY · ‎10-19-2011

It can work but there are restrictions.

If the real name of the webmail appears in the client browser, this is because

case 1 : the webmail application uses absolute (hardcoded) links instead of relative links.

The ACE doesn't support URL rewriting in the payload, so you have to work with the webmail vendor to move to relative links within the pages

case 2 : this is because there is a redirection in the webmail application (after a login screen usually), in that case you can use SSL redirect

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c3045.shtml

Anyway that kind of issues are extremely difficult to troubleshoot without taking HTTP traces