ACE URI Rewrite

KURT HILLIG · ‎04-09-2013

We've got an application that broke after upgrading our ACEs from A5(2.1) to A5(2.2); the problem lies in how the ACE handles URLs with embedded backslash characters in them - e.g.:

https://servicename.umich.edu/give/page.aspx?pid=371&s-Tags\Value=x

Prior to the upgrade the ACE would forward these to the back-end servers; after the upgrade the ACE resets the client connection.

(We're doing SSL offload on the ACE; the back-end connection is HTTP over port 80, only the client-side traffic is over SSL.)

Some browsers will convert these to percent-encoded form - i.e.

https://servicename.umich.edu/give/page.aspx?pid=371&s-Tags%5CValue=x

and things work for these; but other browsers won't do this. So I'd like to set up a rewrite rule in the ACE that will replace any (or at least the first) '\' with the string '%5C'. Just how to do this isn't clear from the command ref, and the config guide is a tad shy on similar examples.

Is this possible? If so, can anyone help with the appropriate rule?

KURT HILLIG · ‎04-09-2013

The answer is "no" - a rewrite rule won't work.

According to RFC 3986 the '\' character is not permitted in URIs; Cisco updated the URI parser in 5.2.2 to be fully (or, at least, closer to fully) compliant with this RFC (bug CSCud39381).

To revert to non-strict URI parsing, we had to create a parameter map:

parameter-map type http NONSTRICT-PARSING

parsing non-strict

and apply this to the appropriate class in the interface policy map:

policy-map multi-match global

class BROKEN-APPLICATION-CLASS

loadbalance policy BROKEN-APPLICATION-POLICY

appl-parameter http advanced-options NONSTRICT-PARSING-PM