Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1237
Views
0
Helpful
3
Replies

ACE with https redirect

gaboughanem
Level 1
Level 1

‎09-21-2011 09:53 AM

Hello,

i have ACE 4710 appliance that terminate SSL and the connection to the servers is http.

The ACE (one Armed) is load balancing between two web servers and i am using stickness in order to take the connection on the same server based on cookie.

I can access the website either by http or https., where on the web page there is a login credential to access using username and password.

When i access the website using https everything works fine and i can login to my account in https mode.

When i access the website through http and login to my account the URL is redirected to https...normal because i am using action-list to rewrite the http into https. But when i exit the browser and access the website again using http it is not redirected to https(although i see that i am still login into my account i can see all the inforamtion in my account).

Maybe i am missing something or not fully understand. The customer wants the connection to be https even when i exit the browser and access the website again (within short time before the cookie exipres)

Has anyone encountered this problem before?

Thank you in advance.

Regards,

Labels:
0 Helpful
3 Replies 3

venkatkr
Cisco Employee
Cisco Employee

‎09-21-2011 11:06 AM

I suggest opening a TAC case. You need to get a sniffer trace to see what is going on. I suspect the browser is caching the request. You verify using a wirsshark trace or http watch.

Also can you share the config to understand how its configured.

Thanks

VK

0 Helpful

gaboughanem
Level 1
Level 1
In response to venkatkr

‎09-21-2011 01:12 PM

Hi Vk,

here is the config

ACE# sh run
Generating configuration....


resource-class mmm
  limit-resource all minimum 0.00 maximum unlimited
  limit-resource sticky minimum 50.00 maximum unlimited

boot system image:c4710ace-mz.A3_2_0.bin

peer hostname ACE2
hostname ACE-Justice-1
interface gigabitEthernet 1/1
  channel-group 1
  no shutdown
interface gigabitEthernet 1/2
  channel-group 1
  no shutdown
interface gigabitEthernet 1/3
  shutdown
interface gigabitEthernet 1/4
  description Ft-Interface
  ft-port vlan 49
  no shutdown
interface port-channel 1
  description DATA-Link
  switchport access vlan 6
  no shutdown


crypto chaingroup ChaonGroupmmm
  cert 1.pem
  cert 2.pem
  cert 3.pem
context Admin
  member mmm

access-list ALL line 10 extended permit ip any any
access-list ALL line 16 extended permit icmp any any
access-list input1 line 10 extended permit tcp any host 192.168.11.82
access-list input1 line 11 extended permit tcp any host 192.168.11.84
access-list input1 line 12 extended permit tcp any host 192.168.11.85
access-list input1 line 13 extended permit tcp any host 192.168.11.140
access-list input1 line 14 extended permit tcp any host 192.168.11.141


ip domain-name mydomain.com
ip name-server 172.16.40.111

probe snmp PROBE_SNMP
  interval 15
  passdetect interval 60
  version 2c
  community public
  oid .1.3.6.1.4.1.311.1.1.3.1.1.2.1.6
    type absolute max 65535
    threshold 65300
    weight 10000
  oid .1.3.6.1.4.1.311.1.1.3.1.1.2.1.8
    type absolute max 65535
    threshold 65300
    weight 10000
  oid .1.3.6.1.4.1.311.1.1.3.1.1.1.1
    type absolute max 65535
    threshold 65300
    weight 10000
  oid .1.3.6.1.4.1.311.1.1.3.1.1.1.10
    type absolute max 65535
    threshold 65300
    weight 10000
probe icmp Rservers_health
  interval 15
  passdetect interval 60
probe tcp WEB-pool-health
  interval 15
  passdetect interval 60
  open 1
probe http url
  interval 5
  passdetect interval 10
  passdetect count 2
  request method get url http://192.168.11.140/autoforms/view/system/probe
  expect status 200 200
  open 1

parameter-map type ssl PARAMMAP_SSL_TERMINATION
  cipher RSA_WITH_3DES_EDE_CBC_SHA
  cipher RSA_WITH_AES_128_CBC_SHA priority 2
  cipher RSA_WITH_AES_256_CBC_SHA priority 3
parameter-map type connection TCP_PARAM
  syn-data drop
  exceed-mss allow

rserver host WEB-1
  ip address 192.168.11.80
  conn-limit max 4000000 min 4000000
  inservice
rserver host WEB-2
  ip address 192.168.11.81
  conn-limit max 4000000 min 4000000
  inservice

action-list type modify http urlrewrite
  ssl url rewrite location "www\.mydomain\.com"

serverfarm host WEB-Farm
  predictor least-loaded probe PROBE_SNMP
  probe PROBE_SNMP
  probe url
  rserver WEB-1 80
    conn-limit max 4000000 min 4000000
    inservice
  rserver WEB-2 80
    conn-limit max 4000000 min 4000000
    inservice

ssl-proxy service SSL_PROXY
  key key.pem
  cert certificate.pem
  chaingroup ChaonGroupmmm
  ssl advanced-options PARAMMAP_SSL_TERMINATION

sticky ip-netmask 255.255.255.255 address source sticky-WEB
  timeout 900
  replicate sticky
  serverfarm WEB-Farm
sticky http-cookie mmm-SSL-PROXY COOKIE-STICKY
  cookie insert browser-expire
  timeout 60
  replicate sticky
  serverfarm WEB-Farm

class-map match-any CLASS-WEB
  2 match virtual-address 192.168.11.140 tcp eq https
class-map match-any CLASS-WEB2
  2 match virtual-address 192.168.11.140 tcp eq www
class-map type http loadbalance match-all L7_SERVER_CLASS
  description Sticky for SSL_T
  2 match http url .*.jpg
  3 match source-address 192.168.11.0 255.255.255.0
class-map type http loadbalance match-all L7_SLB-HTTP_CLASS
  2 match http url .*
  3 match source-address 192.168.11.0 255.255.255.0
class-map type management match-any REMOTE_ACCESS
  description remote access
  3 match protocol ssh any
  4 match protocol icmp any
  5 match protocol telnet any
  6 match protocol https any
  7 match protocol snmp any

policy-map type management first-match Management_Policy
  class REMOTE_ACCESS
    permit

policy-map type loadbalance first-match L7_SSL-TERM_POLICY
  class class-default
    sticky-serverfarm COOKIE-STICKY
    action urlrewrite
    insert-http X-Forwarded-Scheme header-value "%is"
    insert-http X-Forwarded-For header-value "%is"
policy-map type loadbalance first-match WEB2
  match auth http url /auth/
    sticky-serverfarm COOKIE-STICKY
    action urlrewrite
    insert-http X-Forwarded-For header-value "%is"
  class class-default
    sticky-serverfarm COOKIE-STICKY
    action urlrewrite
    insert-http X-Forwarded-Scheme header-value "%is"
    insert-http X-Forwarded-For header-value "%is"

policy-map multi-match L4-VIP_POLICY
  class CLASS-WEB2
    loadbalance vip inservice
    loadbalance policy WEB2
    loadbalance vip icmp-reply
    nat dynamic 1 vlan 6
    connection advanced-options TCP_PARAM
policy-map multi-match L4_SSL-VIP_POLICY
  class CLASS-WEB
    loadbalance vip inservice
    loadbalance policy L7_SSL-TERM_POLICY
    loadbalance vip icmp-reply
    nat dynamic 1 vlan 6
    ssl-proxy server SSL_PROXY
    connection advanced-options TCP_PARAM

interface vlan 6
  ip address 192.168.11.84 255.255.255.0
  alias 192.168.11.82 255.255.255.0
  peer ip address 192.168.11.85 255.255.255.0
  no normalization
  no icmp-guard
  access-group input input1
  nat-pool 1 192.168.11.140 192.168.11.140 netmask 255.255.255.255 pat
  service-policy input Management_Policy
  service-policy input L4_SSL-VIP_POLICY
  service-policy input L4-VIP_POLICY
  no shutdown

ft interface vlan 49
  ip address 172.16.49.1 255.255.255.252
  peer ip address 172.16.49.2 255.255.255.252
  no shutdown

ft peer 1
  heartbeat interval 100
  heartbeat count 10
  ft-interface vlan 49
ft group 1
  peer 1
  priority 200
  peer priority 180
  associate-context Admin
  inservice
 
ft track interface vlan6
  track-interface vlan 6
  peer track-interface vlan 6
  priority 25
  peer priority 25

domain mydomain.com

ip route 0.0.0.0 0.0.0.0 192.168.11.1


snmp-server community Public group Network-Monitor

 

Regards,

George

0 Helpful

gaboughanem
Level 1
Level 1
In response to gaboughanem

‎09-22-2011 09:24 AM

Hi VK,

I have one more problem. The servers that i am load balancing have apache installed as a web server. In the web page of the  customer there is a botton called E-Auction  , the customer wants that if i access the website through HTTP and click the E-Auction botton, the url will be redirected to HTTPS.

Moreover, X-Forwarded-Scheme should be used  as in the configuration above (insert-http X-Forwarded-Scheme header-value :%is").

i tryied to match part of the URL containing "E-Auction" word and use action-list "urlrewrite" to redirect the http to https but it Did not work.

As in the below config:

policy-map type loadbalance first-match WEB2

match auct http url /E-Auction

sticky-serverfarm COOKIE-STICKY

action urlrewrite

insert-http X-Forwarded-For header-value "%is"

insert-http X-Forwarded-Scheme header-value "%is"

class class-default

sticky-serverfarm COOKIE-STICKY

action urlrewrite

insert-http X-Forwarded-Scheme header-value "%is"

insert-http X-Forwarded-For header-value "%is" policy-map type loadbalance first-match WEB2

The match rule under the policy map did not work. Is there any other way to match part of the url to convert it into https ?

One more question, how i can redirected the URL from http to https once a user entered a website?

Thank you in advance.

Regards,

0 Helpful
Customers Also Viewed These Support Documents