09-24-2004 12:49 AM
I have a CSS11501 with the on-board SSL module.
The device is configured with the relevant ss-proxy-list,ssl services and content rules to receive https sessions, decrypt them and pass them onto backend http Web servers - this is working ok.
However, the customer also wants any normal http sessions sent from the users browser to be re-written to https - this is to cater for the situation where the user accidently types a http url instead of using https. e.g.
//http:www.mydomain.com/webstuff/content.html
should be:
//https:www.mydomain.com/webstuff/content.html
From the documentation I have read it appears to me that the 'urlrewrite' command does exactly this.
However, I have configured this in my ssl-proxy-list but it doesn't seem to work - a browser session using http just times-out and doesn't get re-directed to https.
Have I got the correct command..?
My relevant config bits are below:
ssl-proxy-list ssl_listxxxx
ssl-server 33
ssl-server 33 vip address xxx.xxx.xxx.xxx
ssl-server 33 rsacert my_cert
ssl-server 33 rsakey my_key
ssl-server 33 cipher rsa-export-with-rc4-40-md5 xxx.xxx.xxx.xxx 80
ssl-server 33 urlrewrite 1 www.mydomain.com
active
service ssl-serxxxx
type ssl-accel
slot 2
keepalive type none
add ssl-proxy-list ssl_listxxxx
active
content ssl-content
vip address xxx.xxx.xxx.xxx
port 443
protocol tcp
add service ssl-serxxxx
application ssl
advanced-balance ssl
active
content backed-http-content
add service http-content-1
add service http-content-1
protocol tcp
port 80
url "/webstuff*"
advanced-balance sticky-srcip-dstport
vip address xxx.xxx.xxx.xxx
active
Thanks....John
09-25-2004 11:57 PM
John,
look at the last example - redirect from http to https.
The urlrewrite command only affect the response from the server.
So it's not going to help you here.
Regards,
Gilles
09-26-2004 05:20 AM
Hi Gilles,
thanks again, this is great and I think what the customer wants.
The only thing I'm not clear on here is the IP address used in the 'secure-transfer' service (ip address 2.2.2.2)
Is this just s spoof ip address or should it be a valid server ip address.?
Cheers...John
********** SERVICE ***********
service secure-transfer
ip address 2.2.2.2
keepalive type none
type redirect
no prepend-http
domain https://www.cisco.com
active
service regular-server1
ip address 10.2.3.4
active
service regular-server2
ip address 10.2.3.5
active
********* OWNER *********
owner CSS-Team
content default-redirect
vip address 206.25.90.84
protocol tcp
port 80
url "/*"
add service secure-transfer
active
content ssl-rule
vip address 206.25.90.84
protocol tcp
port 443
add service regular-server1
add service regular-server2
active
09-30-2004 07:01 AM
the ip address can be whatever.
It's actually not being used.
Gilles.
09-30-2004 03:37 PM
Thanks Gilles,
You've been a great help.
All the best...John
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide