Need Help for redirect to HTTPS

hamz-zackops · ‎11-20-2013

Hello forum members,

i have difficulty while configuring http to https while accessing specific url.

the case:

i have www.foo-bar.com.god in http, in the web page there is www.foo-bar.com.god/trust/* that must be accessing in https

is there any spesific line of config to apply in my config,

my config is below.

### start

access-list INBOUND line 8 extended permit ip any any

parameter-map type http PERSISTENCE-REBALANCE

persistence-rebalance

parameter-map type ssl SSL_END_to_END

cipher RSA_WITH_RC4_128_SHA priority 10

cipher RSA_WITH_3DES_EDE_CBC_SHA priority 7

cipher RSA_WITH_AES_128_CBC_SHA priority 9

cipher RSA_WITH_AES_256_CBC_SHA priority 8

session-cache timeout 600

rserver host PORTAL-A

ip address 10.49.30.200

inservice

action-list type modify http FORCE-HTTPS

ssl url rewrite location "www\.foo\-\bar\.com\.god\trust\*"

header insert response Cache-Control header-value "private, no-cache, no-store, must-revalidate"

header rewrite response Server header-value "" replace "BLANK"

serverfarm host PORTAL-SFARM

rserver PORTAL-A 80

inservice

ssl-proxy service PORTAL-CERT

key portal.key

cert portal.crt

sticky ip-netmask 255.255.255.255 address source SOURCEIP-STICKY-HTTP-SFARM

replicate sticky

serverfarm PORTAL-SFARM

class-map match-all SSL-VIP

2 match virtual-address 10.49.30.230 tcp eq https

class-map match-all HTTP-VIP

2 match virtual-address 10.49.30.230 tcp eq www

class-map type management match-any remote_access

202 match protocol icmp any

204 match protocol ssh any

207 match protocol snmp any

208 match protocol telnet any

209 match protocol http any

210 match protocol https any

211 match protocol xml-https any

policy-map type management first-match management

class remote_access

permit

policy-map type loadbalance first-match LB-PORTAL-L7-POLICY

class class-default

sticky-serverfarm SOURCEIP-STICKY-HTTP-SFARM

action FORCE-HTTPS

policy-map multi-match LB-PORTAL-L4-POLICY

class SSL-VIP

loadbalance vip inservice

loadbalance policy LB-PORTAL-L7-POLICY

loadbalance vip icmp-reply

nat dynamic 1 vlan 260

appl-parameter http advanced-options PERSISTENCE-REBALANCE

ssl-proxy server PORTAL-CERT

interface vlan 260

description "User-Access"

ip address 10.49.30.231 255.255.255.192

peer ip address 10.49.30.232 255.255.255.192

access-group input INBOUND

nat-pool 1 10.49.30.252 10.49.30.252 netmask 255.255.255.255

service-policy input management

service-policy input LB-PORTAL-L4-POLICY

no shutdown

### End

need for review the config

thanks and regards

hamzah

Kanwaljeet Singh · ‎11-21-2013

Hi Hamzah,

The location regex that you enter must be a pure URL (for example, www\.cisco\.com) with no port or path designations if you are using SSL URL rewrite. If you need to match a path, use the HTTP header rewrite feature to rewrite the string.

action-list type modify http X

header rewrite response Location header-value "http://xxxx\.com/path" replace https://xxxx\.com/path"

Try and let me know how it goes. For simple URL without path your above configuration should work fine.

Regards,

Kanwal

hamz-zackops · ‎11-21-2013

Hi Singh,

thank you for reply,

i just change the config so hope fully the web can redirecting properly.

but when i apply the config, the Browser say, the connection was reset.

Need help

here is my full config

crypto chaingroup portal-verySign

cert portal.pem

access-list everyone line 8 extended permit ip any any

rserver host PORTAL-A

ip address 10.49.30.200

inservice

rserver redirect PORTAL_REDIR_HTTPS

webhost-redirection https://%h%p 302

inservice

serverfarm redirect PORTAL_HTTPS_SFARM

rserver PORTAL_REDIR_HTTPS

inservice

serverfarm host WWW_PORTAL_SFARM

rserver PORTAL-A 80

inservice

parameter-map type http PERSISTENCE-REBALANCE

persistence-rebalance

parameter-map type ssl SSL_END_to_END

cipher RSA_WITH_RC4_128_SHA priority 10

cipher RSA_WITH_3DES_EDE_CBC_SHA priority 7

cipher RSA_WITH_AES_128_CBC_SHA priority 9

cipher RSA_WITH_AES_256_CBC_SHA priority 8

session-cache timeout 600

sticky http-cookie PORTAL-STICKY STICKY-PORTAL-1

serverfarm WWW_PORTAL_SFARM

sticky ip-netmask 255.255.255.255 address source SOURCEIP-STICKY-HTTP-SFARM

replicate sticky

serverfarm WWW_PORTAL_SFARM

action-list type modify http HTTP_MODIFICATION

header insert request X-Forwarded-Proto header-value "%pd"

header insert request Via header-value "1.1 web:%pd"

header insert response Via header-value "1.1 web:ps"

ssl url rewrite location ".*"

ssl header-insert session Id

ssl-proxy service CLIENT_PORTAL

ssl advanced-options SSL_END_to_END

ssl-proxy service SERVER_PORTAL

key portal-key.pem

cert portal.pem

chaingroup portal-verySign

ssl advanced-options SSL_END_to_END

class-map type http loadbalance match-any PORTAL-SSL

2 match http url .*

class-map match-all VIP-SSL-PORTAL

2 match virtual-address 10.49.30.230 tcp eq https

class-map match-all VIP-WWW-PORTAL

2 match virtual-address 10.49.30.230 tcp eq www

policy-map type loadbalance first-match PORTAL_HTTPS_DEFAULT

class class-default

compress default-method gzip

sticky-serverfarm SOURCEIP-STICKY-HTTP-SFARM

action HTTP_MODIFICATION

ssl-proxy client CLIENT_PORTAL

policy-map type loadbalance first-match PORTAL_HTTP_DEFAULT

class class-default

serverfarm PORTAL_HTTPS_SFARM

policy-map multi-match L4_PORTAL_LB

class VIP-WWW-PORTAL

loadbalance vip inservice

loadbalance policy PORTAL_HTTP_DEFAULT

loadbalance vip icmp-reply active

nat dynamic 1 vlan 260

class VIP-SSL-PORTAL

loadbalance vip inservice

loadbalance policy PORTAL_HTTPS_DEFAULT

loadbalance vip icmp-reply active

nat dynamic 1 vlan 260

appl-parameter http advanced-options PERSISTENCE-REBALANCE

ssl-proxy server SERVER_PORTAL

interface vlan 260

description User-Access

ip address 10.49.30.231 255.255.255.192

peer ip address 10.49.30.232 255.255.255.192

access-group input everyone

nat-pool 1 10.49.30.252 10.49.30.252 netmask 255.255.255.255

service-policy input L4_PORTAL_LB

no shutdown

ip route 0.0.0.0 0.0.0.0 10.49.30.195

ip route 10.0.0.0 255.255.255.0 10.49.30.193

need your advice

Kanwaljeet Singh · ‎11-22-2013

Hi Hamzah,

Your redirect configuration looks good. It should work. So any user who comes and class match conditon should be redirected to HTTPS and you dont' need NAT there.

Regards,

Kanwal

hamz-zackops · ‎11-24-2013

hi kanwal,

you mean i should remove "nat dynamic 1 vlan 260" from class VIP-SSL-PORTAL ?

class VIP-SSL-PORTAL

loadbalance vip inservice

loadbalance policy PORTAL_HTTPS_DEFAULT

loadbalance vip icmp-reply active

nat dynamic 1 vlan 260

appl-parameter http advanced-options PERSISTENCE-REBALANCE

ssl-proxy server SERVER_PORTAL

Kanwaljeet Singh · ‎11-25-2013

Hi Hamzah,

No i was talking for redirection so you don't need NAT here since traffic is never given to any realserver but ACE itself redirects it. It shouldn't make any difference but worth a try if it is not working.

Also, i just noticed that you are using end to end SSL which means front and back end connections would be SSL, so why you have defined rserver with port 80 in serverfarm?

serverfarm host WWW_PORTAL_SFARM

rserver PORTAL-A 80-------------------->80 is for http, you should be using the port on which the server listens. If server listens on port 80 then it means that you cannot use end to end and hence you should remove SSL-PROXY CLIENT configuration from policy map.

inservice

policy-map multi-match L4_PORTAL_LB

class VIP-WWW-PORTAL

loadbalance vip inservice

loadbalance policy PORTAL_HTTP_DEFAULT

loadbalance vip icmp-reply active

nat dynamic 1 vlan 260----------->Remove this.

Regards,

Kanwal