01-29-2014 05:32 PM
Hello,
I am trying to redirect inbound connections from http://foo.com to http://foo.com/this/is/a/test 301. The relevant portion of the redirect config is as follows:
rserver redirect RD_QA_ANONYMOUS_LOGIN
description Redirect Inbound Connections to Anonymous Login Page
webhost-redirection https://foo.com/this/is/a/test 301
inservice
serverfarm redirect SF_QA_ANON_LOGIN
description Redirect Inbound Connections to Anonymous Login Page
rserver RD_QA_ANONYMOUS_LOGIN
inservice
parameter-map type http REDIRECT
description Redirect Inbound Connections to Anonymous Login Page
case-insensitive
persistence-rebalance
class-map match-any RD_PORTAL_QA_VIP_1
description ***VIP for QA Customer Portal***
2 match virtual-address 10.145.19.135 any
class-map type http loadbalance match-all RD_QA_ANON_01
2 match http header Host header-value ".*foo.com/"
policy-map type loadbalance first-match LB_RD_EXTPORTAL_QA_1
class RD_QA_ANON_01
serverfarm SF_QA_ANON_LOGIN
policy-map multi-match EXT_TEST_POLICY
class RD_PORTAL_QA_VIP_1
loadbalance vip inservice
loadbalance policy LB_RD_EXTPORTAL_QA_1
loadbalance vip icmp-reply active
appl-parameter http advanced-options REDIRECT
Right now, the client is not receiving the redirect message, only a FIN. I've tried several variations of the above config, with no success. Any ideas?
Thanks,
Michael
Solved! Go to Solution.
01-30-2014 06:01 AM
Hi Michael,
Are you redirecting from http://foo.com to http://foo.com/this/is/a/test or https? In configuration you have https but in question you have mentioned http. If it is http to http then .*foo.com condition will match even after the redirection and again it will be redirected. It will be a loop.
Regards,
Kanwal
01-30-2014 06:01 AM
Hi Michael,
Are you redirecting from http://foo.com to http://foo.com/this/is/a/test or https? In configuration you have https but in question you have mentioned http. If it is http to http then .*foo.com condition will match even after the redirection and again it will be redirected. It will be a loop.
Regards,
Kanwal
01-30-2014 01:04 PM
Hello Kanwal,
Good question. The answer is yes, both. The first goal was to enable redirection without SSL. After that was working, then next goal was to enable SSL. Working with TAC, we came up with the following config, which enabled the redirection with SSL. BTW: The SSL config was already in place. I am adding the SSL config for the sake of completeness. Also we are re-writing headers in both directions:
crypto chaingroup CHAINGROUP
cert ROOT
cert WC_INTER_1
cert WC_INTER_2
rserver redirect RD_REDIRECT_SERVICE
webhost-redirection https://%h/this/is/a/test 301
inservice
rserver host RS_REAL_SERVER_01
ip address 10.10.10.10
inservice
serverfarm host SF_REAL_SERVERFARM_01
rserver RS_REAL_SERVICE_01 1000
inservice
serverfarm redirect SF_REDIRECT_SERVICE
rserver RD_REDIRECT_SERVICE
inservice
parameter-map type http REWRITE
description Enable Header Rewrites
persistence-rebalance
header modify per-request
parameter-map type ssl SSL_TERMINATION
cipher RSA_WITH_RC4_128_MD5
cipher RSA_WITH_RC4_128_SHA
cipher RSA_WITH_3DES_EDE_CBC_SHA
cipher RSA_WITH_AES_128_CBC_SHA
cipher RSA_WITH_AES_256_CBC_SHA
sticky ip-netmask 255.255.255.0 address both STICKY_SERVERFARM_01
timeout 600
replicate sticky
serverfarm SF_REAL_SERVERFARM_01
action-list type modify http MODIFY_HEADER_LIST
header rewrite response location header-value "http://inside[.]foo[.]net(.*)" replace "https://outside.foo.com%1"
header rewrite response location header-value "http://inside[.]foo[.]com(.*)" replace "https://outside.foo.com%1"
header rewrite request Host header-value "outside\.foo\.com" replace "inside.foo.com"
ssl url rewrite location "outside\.foo\.com%1"
ssl-proxy service SSL_WC_01
key WC_KEY
cert WC_CERT
chaingroup RAPID_SSL
ssl advanced-options SSL_TERMINATION
class-map match-any VIP_1
2 match virtual-address 10.10.10.210 any
class-map type http loadbalance match-any LB_L7
2 match http url /.*
class-map type http loadbalance match-all REDIRECT_01
2 match http url /
policy-map type loadbalance first-match LB_POLICYMAP_1
class REDIRECT_01
serverfarm SF_REDIRECT SERVICE
class LB_L7
sticky-serverfarm STICKY_SERVERFARM_01
action MODIFY_HEADER_LIST
policy-map multi-match MM_POLICY
class VIP_1
loadbalance vip inservice
loadbalance policy LB_POLICYMAP_1
loadbalance vip icmp-reply active
nat dynamic 1 vlan 60
appl-parameter http advanced-options REWRITE
ssl-proxy server SSL_WC_01
01-30-2014 01:11 PM
Hi Michael,
So everything is working now? The above configuration looks good.
Regards,
Kanwal
01-31-2014 08:20 AM
Yes, everything is working now. According the TAC engineer, the root cause was not tying the redirect serverfarm to the real serverfarm in the loadbalancing policy map. That and the regex strings in the class map.
Another question for you: one of my biggest challenges in configuring the ACE is constructing a regex that works. It usually takes many attempts to find just the right combination. I've read the Cisco doc on ACE regular expressions, but it does not provide enough information or examples, and it seems that the ACE regex syntax is somewhat different from the normal Unix syntax. Do you know of a good document that covers the ACE regex syntax thoroughly?
Thanks,
Michael
01-31-2014 08:46 AM
Hi Michael,
Regex have always been tricky. I don't have any document but i use tool "regex builder" and it comes in handy every now and then to construct as well as correct regex syntax.
Here's the link for download. There are other tools as well which you can use btw.
http://sourceforge.net/projects/regexbuilder/
Regards,
Kanwal
01-31-2014 09:11 AM
I've used a couple of those. The tricky thing is that, while you might have a correct regex in regex builder, it won't necessarily work on the ACE.
One thing I don't quite understand about the working config is why the "/" alone works as a match condition without resulting in a loop, while *foo.com/ created a loop. Can you help with that?
Thanks,
MB
01-31-2014 10:54 AM
Hi Michael,
I don't have your complete configuration. But you have a good point. Why the loop will not happen is because of the below:
Client come to VIP 10.10.10.210 on http with URL anything or in your case foo.com. It matches the class map VIP_1 as well as REDIRECT_01. LB policy will come into action.Look at your policy map you have class redirect first. That should full fill the condition and you should be redirected to https://foo.com. When user comes with https://foo.com/this/is/a/test, he only satifies /.* and not / which tells it to go to a different serverfarm. That is the reason it works.
class-map match-any VIP_1
2 match virtual-address 10.10.10.210 any
class-map type http loadbalance match-any LB_L7
2 match http url /.*
class-map type http loadbalance match-all REDIRECT_01
2 match http url /
Now in your case i just noticed that you have URL condition .*foo.com/ which actually doesn't match with foo.com which might be the reason redirection wasn't working. Below conditions should work too fine. You just need to have policy defined correctly.
class-map match-any RD_PORTAL_QA_VIP_1
description ***VIP for QA Customer Portal***
2 match virtual-address 10.145.19.135 any
class-map type http loadbalance match-all RD_QA_ANON_02
2 match http header Host header-value ".*foo.com"
class-map type http loadbalance match-all RD_QA_ANON_01
2 match http header Host header-value ".*foo.com/"
Hope this explains.
Regards,
Kanwal
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide