Solved: CSS 11503 http redirect / rewrite to https ssl with wildcard cert

Glenn R · ‎07-15-2010

I am trying to get all my traffic for http VIP send to https on the same VIP. I have managed to do this with with a single a record but my problem is that I have a wildcard ssl and want to be able to direct incoming http to https and keep the address information.

i.e. http://test.domain.com to go to https://test.domain.com and

http://newtest.domain.com to go to https://newtest.domain.com

I have around 30 subdomains and do not want to have to write rules for each subdomain to be redirected.

My configuration looks like this at the moment and any light would be greatly appreciated

ssl associate rsakey domainkkey domainrsakey.pem
ssl associate cert domaincert domaincert.crt

ip route 0.0.0.0 0.0.0.0 192.168.33.1 1

!************************* INTERFACE *************************
interface 3/1
bridge vlan 33

!************************** CIRCUIT **************************
circuit VLAN1

ip address 192.168.35.1 255.255.255.0

circuit VLAN33

ip address 192.168.33.2 255.255.255.0

!*********************** SSL PROXY LIST ***********************
ssl-proxy-list ssl-proxy
   ssl-server 1
ssl-server 1 vip address 192.168.33.102
   ssl-server 1 rsacert domaincert
ssl-server 1 rsakey domainkey
   ssl-server 1 cipher rsa-with-rc4-128-md5 192.168.35.5 80
   ssl-server 1 urlrewrite 10 *.domain.com sslport 443 clearport 80
   active

!************************** SERVICE **************************
service EUHS1WEB20
protocol tcp
port 80
ip address 192.168.35.20
keepalive type none
active

service EUHS1WEB21
protocol tcp
port 80
ip address 192.168.35.21
keepalive type tcp
active

service SSL-MYDOMAIN
type ssl-accel
slot 2
keepalive type none
add ssl-proxy-list ssl-proxy
active

service SSL-REWRITE
keepalive type none
type redirect
no prepend-http
redirect-string "https://*"
active

!*************************** OWNER ***************************

owner domain.com

content decrypt-http
     vip address 192.168.35.5
    protocol tcp
    port 80
     add service EUHS1WEB23
    active

content ssl-rule
    vip address 192.168.33.102
    port 443
    protocol tcp
    add service SSL-MYDOMAIN
    active

content testhttp
    vip address 192.168.33.102
    protocol tcp
    port 80
    url "/*"
    add service SSL-REWRITE
    active

CSS11503#

Thank you in advance

pcoughlin01 · ‎07-19-2010

I don't believe this is possible using a single rule. See post https://supportforums.cisco.com/message/457788#457788

for more information. I ran into a similar situation and had to create multiple rules with the same VIP, but different URL's and redirect services (see below)

Hope this helps.

Pat

service redirect-tenant2
keepalive type none
type redirect
no prepend-http
domain https://tenant2.yourdomain.com

service redirect-tenant3
keepalive type none
type redirect
no prepend-http
domain https://tenant3.yourdomain.com

service redirect-tenant4
keepalive type none
type redirect
no prepend-http
domain "https://tenant4.yourdomain.com"

content tenant2
    vip address 192.168.99.1
    protocol tcp
    port 80
    url "//tenant2.yourdomain.com/*"
    add service redirect-tenant2

content tenant3
    vip address 192.168.99.1
    protocol tcp
    port 80
    url "//tenant3.yourdomain.com/*"
    add service redirect-tenant3

content tenant4
    vip address 192.168.99.1
    protocol tcp
    port 80
    url "//tenant4.yourdomain.com/*"
    add service redirect-tenant4

View solution in original post

pcoughlin01 · ‎07-19-2010

I don't believe this is possible using a single rule. See post https://supportforums.cisco.com/message/457788#457788

for more information. I ran into a similar situation and had to create multiple rules with the same VIP, but different URL's and redirect services (see below)

Hope this helps.

Pat

service redirect-tenant2
keepalive type none
type redirect
no prepend-http
domain https://tenant2.yourdomain.com

service redirect-tenant3
keepalive type none
type redirect
no prepend-http
domain https://tenant3.yourdomain.com

service redirect-tenant4
keepalive type none
type redirect
no prepend-http
domain "https://tenant4.yourdomain.com"

content tenant2
    vip address 192.168.99.1
    protocol tcp
    port 80
    url "//tenant2.yourdomain.com/*"
    add service redirect-tenant2

content tenant3
    vip address 192.168.99.1
    protocol tcp
    port 80
    url "//tenant3.yourdomain.com/*"
    add service redirect-tenant3

content tenant4
    vip address 192.168.99.1
    protocol tcp
    port 80
    url "//tenant4.yourdomain.com/*"
    add service redirect-tenant4

Glenn R · ‎07-19-2010

Thank you for your response.

After much reading and head scratching I have concluded that what you mentioned is the only way to be able to do this. The problem I have is that off our wildcard we have 2500 sites i.e. test1.domain.com - test2500.domain.com and do not feel like typing in a large list for each A record.

So what I would hve liked is not achievable as you mentioned in my situation and I have had to rethink this.

What I have done is change my Apache servers indexpage to redirect to another named page with a redirect rule.

Like follows:

CSS -->VIP for -- http://test1.domain.com/index.php

Apache --> redirect to -- header("Location: https://" . $_SERVER['HTTP_HOST'] . "/newpage.php");

So the switch keeps the VIP the same but just switches to https.

Not perfect but works

Thank you