Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
513
Views
0
Helpful
2
Replies

Configuration help - ACE redirection

jbartoldus
Level 1
Level 1

‎12-02-2010 08:04 AM

Please see the below ACE configuration.  It is currently in place for both load balancing and redirection.  Here are the 4 current scenarios...

1. https://www.URL1.com is the desired URL and will be load balanced.  Certificate is for this URL.

2. http://www.URL1.com will redirect the client to https://www/URL1.com for appropriate load balancing.

3. URL1.com resolves to the same vip ip address as www.URL1.com, so http://URL1.com will redirect the client to https://URL1.com

4. https://URL1.com will be load balanced, but client gets a certificate error since the cert is not associated with this address.

How can I redirect http://URL1.com and https://URL1.com to https://www.URL1.com?  Can I create a L7 policy map in addition to the existing L4 policy map?

Thanks for any help you can give.

rserver host URL1-ws07
  ip address 1.1.1.1
  inservice
rserver host URL1-ws08
  ip address 1.1.2.1
  inservice
rserver host URL1-ws09
  ip address 1.1.3.1
  inservice
rserver host URL1-ws10
  ip address 1.1.4.1
  inservice 
rserver host URL1-ws06
  ip address 1.1.5.1
  inservice
!************** Generic redirect rserver used by many policy maps to redirect clear text addresses to secure addresses *************
rserver redirect server-rd
  webhost-redirection https://%h%p 301
  inservice

 
ssl-proxy service URL1
  key URL10911-key
  cert URL10911-cert
  chaingroup verisign-ev-cg

serverfarm host URL1
  description www.URL1.com
  probe port_80
  rserver URL1-ws07 80
    inservice
  rserver URL1-ws08 80
    inservice
  rserver URL1-ws09 80
    inservice
  rserver URL1-ws10 80
    inservice
  rserver URL1-ws06 80
    inservice


sticky http-cookie acecookie sticky-URL1
  cookie insert browser-expire
  replicate sticky
  serverfarm URL1

!***************** Redirect to https *****************
class-map match-all URL1-vip
  2 match virtual-address 2.2.2.2 tcp eq https
class-map match-all URL1-vip-rd
  2 match virtual-address 2.2.2.2 tcp eq www 
 
policy-map type loadbalance first-match URL1-lb
  class class-default
    sticky-serverfarm sticky-URL1
    action https-rewrite
    insert-http X-Forwarded-For header-value "%is"

policy-map type loadbalance first-match URL1-rd
class class-default
    serverfarm server-rd

policy-map multi-match yellow-policy 
  class URL1-vip-rd
    loadbalance vip inservice
    loadbalance policy URL1-rd
    loadbalance vip icmp-reply active
  class URL1-vip
    loadbalance vip inservice
    loadbalance policy URL1-lb
    loadbalance vip icmp-reply active
    appl-parameter http advanced-options generic-http-parameter-map
    ssl-proxy server URL1

Labels:
0 Helpful
2 Replies 2

pablo.nxh
Level 3
Level 3

‎12-02-2010 09:35 AM

Hi there,

If all the URLs respond to the same VIP then you need to modify your server-rd as follows:

rserver redirect server-rd
  webhost-redirection https://www.URL1.com/%p 301
  inservice

That would take care of the HTTP part.

For HTTPS we can't do much as decryption happens before URL matching, you'll get the certificate

error before being sent to the correct domain. The only way you can get HTTPS working is either with:

- Wildcard Certificate: *.URL1.com

- SAN certificate: You can include multiple domains into the same SSL certificate.

HTH

__ __

Pablo

0 Helpful

jbartoldus
Level 1
Level 1
In response to pablo.nxh

‎12-02-2010 09:40 AM

I was afraid of that.  Thanks for your help Pablo.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card