Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
640
Views
0
Helpful
1
Replies

HTTP redirect issue

shday
Level 1
Level 1

‎03-22-2011 07:03 AM

I have a vip for url http://www.camko.com/honor/services.svc, but I need to redirect all other requests to http://www.camko.com to https.  So anything coming to http://www.camko.com would be redirected to https://www.camko.com, but to allow http://www.camko.com/honor/services.svc to go to my pair of web servers.  I am also terminating ssl for this policy.  I am unable to get the http://www.camko.com/honor/services.svc to work correctly.  I see the initial login to https://www.camko.com and I see a services request to /honor/services.svc and it looks like its clear text, but in my trace I see the origin: as https://www.camko.com.  I'm wondering if the services call can be redirected since they are already logged in with https://www.camko.com?

This is what I tried.

class-map match-any camko-clmp
  2 match virtual-address 10.10.20.42 tcp eq https
class-map match-any camko-port80
  2 match virtual-address 10.10.20.42 tcp eq www
class-map type http loadbalance match-any camko/honor
  2 match http url .*catsupport  -- anything with catsupport do not redirect
  3 match http url .*honor -- anything with honor do not redirect


policy-map type loadbalance first-match camko
  class class-default
    serverfarm camko
policy-map type loadbalance first-match camko-redirect
  class class-default
    serverfarm camko-redirect
policy-map type loadbalance first-match camko-443
  class class-default
    serverfarm camko

policy-map multi-match camko-mmplm
  class camko-clmp
    loadbalance vip inservice
    loadbalance policy camko-443  -- this is where the initail login to the app takes place
    loadbalance vip icmp-reply active
    ssl-proxy server lss-ssl-proxy
policy-map multi-match camko-port80
  class camko/honor
    loadbalance vip inservice
    loadbalance policy camko  -- should allow port 80 to anything with /catsupport or /honor
    loadbalance vip icmp-reply active
    appl-parameter http advanced-options ignore-case
  class camko-port80
    loadbalance vip inservice
    loadbalance policy camko-redirect  -- redirect any other port 80 requests
    loadbalance vip icmp-reply active
    appl-parameter http advanced-options ignore-case

Labels:
0 Helpful
1 Reply 1

stmccabe
Cisco Employee
Cisco Employee

‎03-22-2011 09:30 AM

The traditional redirect will not give you the granularity you are looking for, however you can leverage http header rewrites in conjuction with the redirect to do "conditional" redirects. 

I might be wrong, but I don't think a redirect is what you are looking for..   It sounds like the client is initially logging in via the ssl url then getting a redirect (from server) to http, which causes the client to "step outside" of the ssl channel and build a new session.  More than likely the server is setting the location header to 'http://www.camko.com/honor/services.svc'.. What must do is keep the client connection over the ssl session buy doing an ssl rewrite.  This way the web server's response is rewritten from http://www.camko.com/honor/services.svc to https://www.camko.com/honor/services.svc.

Example:

1) First add an action list:

!

action-list type modify http REWRITE-Location
  ssl url rewrite location "www\.camko\.com"

!

2) policy-map type loadbalance first-match camko-443
!

class class-default

   action REWRITE-Location  <---- add under your HTTPS policy
    serverfarm camko

!

3) You can then remove:

!

policy-map type loadbalance first-match camko
  class class-default
    serverfarm camko
policy-map type loadbalance first-match camko-redirect
  class class-default
    serverfarm camko-redirect

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card