Hello Kanwal,

Good question.  The answer is yes, both.  The first goal was to enable redirection without SSL.  After that was working, then next goal was to enable SSL.  Working with TAC, we came up with the following config, which enabled the redirection with SSL.  BTW:  The SSL config was already in place.  I am adding the SSL config for the sake of completeness.  Also we are re-writing headers in both directions:

crypto chaingroup CHAINGROUP

  cert ROOT

  cert WC_INTER_1

  cert WC_INTER_2

rserver redirect RD_REDIRECT_SERVICE

  webhost-redirection https://%h/this/is/a/test 301

  inservice

rserver host RS_REAL_SERVER_01

ip address 10.10.10.10

inservice

serverfarm host SF_REAL_SERVERFARM_01

  rserver RS_REAL_SERVICE_01 1000

    inservice

serverfarm redirect SF_REDIRECT_SERVICE

  rserver RD_REDIRECT_SERVICE

    inservice

parameter-map type http REWRITE

  description Enable Header Rewrites

  persistence-rebalance

  header modify per-request

parameter-map type ssl SSL_TERMINATION

  cipher RSA_WITH_RC4_128_MD5

  cipher RSA_WITH_RC4_128_SHA

  cipher RSA_WITH_3DES_EDE_CBC_SHA

  cipher RSA_WITH_AES_128_CBC_SHA

  cipher RSA_WITH_AES_256_CBC_SHA

sticky ip-netmask 255.255.255.0 address both STICKY_SERVERFARM_01

  timeout 600

  replicate sticky

  serverfarm SF_REAL_SERVERFARM_01

action-list type modify http MODIFY_HEADER_LIST

  header rewrite response location header-value "http://inside[.]foo[.]net(.*)" replace "https://outside.foo.com%1"

  header rewrite response location header-value "http://inside[.]foo[.]com(.*)" replace "https://outside.foo.com%1"

  header rewrite request Host header-value "outside\.foo\.com" replace "inside.foo.com"

  ssl url rewrite location "outside\.foo\.com%1"

ssl-proxy service SSL_WC_01

  key WC_KEY

  cert WC_CERT

  chaingroup RAPID_SSL

  ssl advanced-options SSL_TERMINATION

class-map match-any VIP_1

  2 match virtual-address 10.10.10.210 any

class-map type http loadbalance match-any LB_L7

  2 match http url /.*

class-map type http loadbalance match-all REDIRECT_01

  2 match http url /

policy-map type loadbalance first-match LB_POLICYMAP_1

  class REDIRECT_01

    serverfarm SF_REDIRECT SERVICE

  class LB_L7

    sticky-serverfarm STICKY_SERVERFARM_01

    action MODIFY_HEADER_LIST

policy-map multi-match MM_POLICY

  class VIP_1

    loadbalance vip inservice

    loadbalance policy LB_POLICYMAP_1

    loadbalance vip icmp-reply active

    nat dynamic 1 vlan 60

    appl-parameter http advanced-options REWRITE

    ssl-proxy server SSL_WC_01

Hi Michael,

So everything is working now? The above configuration looks good.

Regards,

Kanwal

Yes, everything is working now.  According the TAC engineer, the root cause was not tying the redirect serverfarm to the real serverfarm in the loadbalancing policy map.  That and the regex strings in the class map.

Another question for you: one of my biggest challenges in configuring the ACE is constructing a regex that works.  It usually takes many attempts to find just the right combination.  I've read the Cisco doc on ACE regular expressions, but it does not provide enough information or examples, and it seems that the ACE regex syntax is somewhat different from the normal Unix syntax.  Do you know of a good document that covers the ACE regex syntax thoroughly?

Thanks,

Michael

Hi Michael,

Regex have always been tricky. I don't have any document but i use tool "regex builder" and it comes in handy every now and then to construct as well as correct regex syntax.

Here's the link for download. There are other tools as well which you can use btw.

http://sourceforge.net/projects/regexbuilder/

Regards,

Kanwal

I've used a couple of those.  The tricky thing is that, while you might have a correct regex in regex builder, it won't necessarily work on the ACE. 

One thing I don't quite understand about the working config is why the "/" alone works as a match condition without resulting in a loop, while *foo.com/ created a loop.  Can you help with that?

Thanks,

MB

Hi Michael,

I don't have your complete configuration. But you have a good point. Why the loop will not happen is because of the below:

Client come to VIP 10.10.10.210 on http with URL anything or in your case foo.com. It matches the class map VIP_1 as well as REDIRECT_01. LB policy will come into action.Look at your policy map you have class redirect first. That should full fill the condition and you should be redirected to https://foo.com. When user comes with https://foo.com/this/is/a/test, he only satifies /.* and not / which tells it to go to a different serverfarm. That is the reason it works.

class-map match-any VIP_1

2 match virtual-address 10.10.10.210 any

class-map type http loadbalance match-any LB_L7

2 match http url /.*

class-map type http loadbalance match-all REDIRECT_01

2 match http url /

Now in your case i just noticed that you have URL condition .*foo.com/ which actually doesn't match with foo.com which might be the reason redirection wasn't working. Below conditions should work too fine. You just need to have policy defined correctly.

class-map match-any RD_PORTAL_QA_VIP_1

description ***VIP for QA Customer Portal***

2 match virtual-address 10.145.19.135 any

class-map type http loadbalance match-all RD_QA_ANON_02

2 match http header Host header-value ".*foo.com"

class-map type http loadbalance match-all RD_QA_ANON_01

2 match http header Host header-value ".*foo.com/"

Hope this explains.

Regards,

Kanwal