Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
734
Views
0
Helpful
4
Replies

CSS11501 ssl-server urlrewrite Not Working

john.pepper
Level 1
Level 1

‎09-24-2004 12:49 AM

I have a CSS11501 with the on-board SSL module.

The device is configured with the relevant ss-proxy-list,ssl services and content rules to receive https sessions, decrypt them and pass them onto backend http Web servers - this is working ok.

However, the customer also wants any normal http sessions sent from the users browser to be re-written to https - this is to cater for the situation where the user accidently types a http url instead of using https. e.g.

//http:www.mydomain.com/webstuff/content.html

should be:

//https:www.mydomain.com/webstuff/content.html

From the documentation I have read it appears to me that the 'urlrewrite' command does exactly this.

However, I have configured this in my ssl-proxy-list but it doesn't seem to work - a browser session using http just times-out and doesn't get re-directed to https.

Have I got the correct command..?

My relevant config bits are below:

ssl-proxy-list ssl_listxxxx

ssl-server 33

ssl-server 33 vip address xxx.xxx.xxx.xxx

ssl-server 33 rsacert my_cert

ssl-server 33 rsakey my_key

ssl-server 33 cipher rsa-export-with-rc4-40-md5 xxx.xxx.xxx.xxx 80

ssl-server 33 urlrewrite 1 www.mydomain.com

active

service ssl-serxxxx

type ssl-accel

slot 2

keepalive type none

add ssl-proxy-list ssl_listxxxx

active

content ssl-content

vip address xxx.xxx.xxx.xxx

port 443

protocol tcp

add service ssl-serxxxx

application ssl

advanced-balance ssl

active

content backed-http-content

add service http-content-1

add service http-content-1

protocol tcp

port 80

url "/webstuff*"

advanced-balance sticky-srcip-dstport

vip address xxx.xxx.xxx.xxx

active

Thanks....John

Labels:
0 Helpful
4 Replies 4

Gilles Dufour
Cisco Employee
Cisco Employee

‎09-25-2004 11:57 PM

John,

http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_configuration_example09186a00801de8d6.shtml

look at the last example - redirect from http to https.

The urlrewrite command only affect the response from the server.

So it's not going to help you here.

Regards,

Gilles

0 Helpful

john.pepper
Level 1
Level 1
In response to Gilles Dufour

‎09-26-2004 05:20 AM

Hi Gilles,

thanks again, this is great and I think what the customer wants.

The only thing I'm not clear on here is the IP address used in the 'secure-transfer' service (ip address 2.2.2.2)

Is this just s spoof ip address or should it be a valid server ip address.?

Cheers...John

********** SERVICE ***********

service secure-transfer

ip address 2.2.2.2

keepalive type none

type redirect

no prepend-http

domain https://www.cisco.com

active

service regular-server1

ip address 10.2.3.4

active

service regular-server2

ip address 10.2.3.5

active

********* OWNER *********

owner CSS-Team

content default-redirect

vip address 206.25.90.84

protocol tcp

port 80

url "/*"

add service secure-transfer

active

content ssl-rule

vip address 206.25.90.84

protocol tcp

port 443

add service regular-server1

add service regular-server2

active

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to john.pepper

‎09-30-2004 07:01 AM

the ip address can be whatever.

It's actually not being used.

Gilles.

0 Helpful

john.pepper
Level 1
Level 1
In response to Gilles Dufour

‎09-30-2004 03:37 PM

Thanks Gilles,

You've been a great help.

All the best...John

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card