cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3026
Views
0
Helpful
5
Replies

Need Help for redirect to HTTPS

hamz-zackops
Level 1
Level 1

Hello forum members,

i have difficulty while configuring http to https while accessing specific url.

the case:

i have www.foo-bar.com.god in http, in the web page there is www.foo-bar.com.god/trust/* that must be accessing in https

is there any spesific line of config to apply in my config,

my config is below.

### start

access-list INBOUND line 8 extended permit ip any any

parameter-map type http PERSISTENCE-REBALANCE

persistence-rebalance

parameter-map type ssl SSL_END_to_END

  cipher RSA_WITH_RC4_128_SHA priority 10

  cipher RSA_WITH_3DES_EDE_CBC_SHA priority 7

  cipher RSA_WITH_AES_128_CBC_SHA priority 9

  cipher RSA_WITH_AES_256_CBC_SHA priority 8

  session-cache timeout 600

rserver host PORTAL-A

ip address 10.49.30.200

inservice

action-list type modify http FORCE-HTTPS

ssl url rewrite location "www\.foo\-\bar\.com\.god\trust\*"

header insert  response Cache-Control header-value "private, no-cache, no-store, must-revalidate"

header rewrite response Server header-value "" replace "BLANK"

serverfarm host PORTAL-SFARM

rserver PORTAL-A 80

   inservice

ssl-proxy service PORTAL-CERT

key portal.key

cert portal.crt

sticky ip-netmask 255.255.255.255 address source SOURCEIP-STICKY-HTTP-SFARM

replicate sticky

serverfarm PORTAL-SFARM

class-map match-all SSL-VIP

2 match virtual-address 10.49.30.230 tcp eq https

class-map match-all HTTP-VIP

2 match virtual-address 10.49.30.230 tcp eq www

class-map type management match-any remote_access

202 match protocol icmp any

204 match protocol ssh any

207 match protocol snmp any

208 match protocol telnet any

209 match protocol http any

210 match protocol https any

211 match protocol xml-https any

policy-map type management first-match management

class remote_access

   permit

policy-map type loadbalance first-match LB-PORTAL-L7-POLICY

class class-default

   sticky-serverfarm SOURCEIP-STICKY-HTTP-SFARM

   action FORCE-HTTPS

policy-map multi-match LB-PORTAL-L4-POLICY

class SSL-VIP

   loadbalance vip inservice

   loadbalance policy LB-PORTAL-L7-POLICY

   loadbalance vip icmp-reply

   nat dynamic 1 vlan 260

   appl-parameter http advanced-options PERSISTENCE-REBALANCE

   ssl-proxy server PORTAL-CERT

interface vlan 260

description "User-Access"

ip address 10.49.30.231 255.255.255.192

peer ip address 10.49.30.232 255.255.255.192

access-group input INBOUND

nat-pool 1 10.49.30.252 10.49.30.252 netmask 255.255.255.255

service-policy input management

service-policy input LB-PORTAL-L4-POLICY

no shutdown

### End

need for review the config

thanks and regards

hamzah

5 Replies 5

Kanwaljeet Singh
Cisco Employee
Cisco Employee

Hi Hamzah,

The location regex that you enter must be a pure URL (for example, www\.cisco\.com) with no port or path designations if you are using SSL URL rewrite.  If you need to match a path, use the HTTP header rewrite feature to rewrite the string.

action-list type modify http X

header rewrite response Location header-value "http://xxxx\.com/path" replace https://xxxx\.com/path"

Try and let me know how it goes. For simple URL without path your above configuration should work fine.

Regards,

Kanwal

Hi Singh,

thank you for reply,

i just change the config so hope fully the web can redirecting properly.

but when i apply the config, the Browser say, the connection was reset.

Need help

here is my full config

crypto chaingroup portal-verySign

  cert portal.pem

access-list everyone line 8 extended permit ip any any

rserver host PORTAL-A

  ip address 10.49.30.200

  inservice

rserver redirect PORTAL_REDIR_HTTPS

  webhost-redirection https://%h%p 302

  inservice

serverfarm redirect PORTAL_HTTPS_SFARM

  rserver PORTAL_REDIR_HTTPS

    inservice

serverfarm host WWW_PORTAL_SFARM

  rserver PORTAL-A 80

    inservice

parameter-map type http PERSISTENCE-REBALANCE

  persistence-rebalance

parameter-map type ssl SSL_END_to_END

  cipher RSA_WITH_RC4_128_SHA priority 10

  cipher RSA_WITH_3DES_EDE_CBC_SHA priority 7

  cipher RSA_WITH_AES_128_CBC_SHA priority 9

  cipher RSA_WITH_AES_256_CBC_SHA priority 8

  session-cache timeout 600

sticky http-cookie PORTAL-STICKY STICKY-PORTAL-1

  serverfarm WWW_PORTAL_SFARM

sticky ip-netmask 255.255.255.255 address source SOURCEIP-STICKY-HTTP-SFARM

  replicate sticky

  serverfarm WWW_PORTAL_SFARM

action-list type modify http HTTP_MODIFICATION

  header insert request X-Forwarded-Proto header-value "%pd"

  header insert request Via header-value "1.1 web:%pd"

  header insert response Via header-value "1.1 web:ps"

  ssl url rewrite location ".*"

  ssl header-insert session Id

ssl-proxy service CLIENT_PORTAL

  ssl advanced-options SSL_END_to_END

ssl-proxy service SERVER_PORTAL

  key portal-key.pem

  cert portal.pem

  chaingroup portal-verySign

  ssl advanced-options SSL_END_to_END

class-map type http loadbalance match-any PORTAL-SSL

  2 match http url .*

class-map match-all VIP-SSL-PORTAL

  2 match virtual-address 10.49.30.230 tcp eq https

class-map match-all VIP-WWW-PORTAL

  2 match virtual-address 10.49.30.230 tcp eq www

policy-map type loadbalance first-match PORTAL_HTTPS_DEFAULT

  class class-default

    compress default-method gzip

    sticky-serverfarm SOURCEIP-STICKY-HTTP-SFARM

    action HTTP_MODIFICATION

    ssl-proxy client CLIENT_PORTAL

policy-map type loadbalance first-match PORTAL_HTTP_DEFAULT

  class class-default

    serverfarm PORTAL_HTTPS_SFARM

policy-map multi-match L4_PORTAL_LB

  class VIP-WWW-PORTAL

    loadbalance vip inservice

    loadbalance policy PORTAL_HTTP_DEFAULT

    loadbalance vip icmp-reply active

    nat dynamic 1 vlan 260

  class VIP-SSL-PORTAL

    loadbalance vip inservice

    loadbalance policy PORTAL_HTTPS_DEFAULT

    loadbalance vip icmp-reply active

    nat dynamic 1 vlan 260

    appl-parameter http advanced-options PERSISTENCE-REBALANCE

    ssl-proxy server SERVER_PORTAL

interface vlan 260

  description User-Access

  ip address 10.49.30.231 255.255.255.192

  peer ip address 10.49.30.232 255.255.255.192

  access-group input everyone

  nat-pool 1 10.49.30.252 10.49.30.252 netmask 255.255.255.255

  service-policy input L4_PORTAL_LB

  no shutdown

ip route 0.0.0.0 0.0.0.0 10.49.30.195

ip route 10.0.0.0 255.255.255.0 10.49.30.193

need your advice

Hi Hamzah,

Your redirect configuration looks good. It should work. So any user who comes and class match conditon should be redirected to HTTPS and you dont' need NAT there.

Regards,

Kanwal

hi kanwal,

you mean i should remove "nat dynamic 1 vlan 260" from class VIP-SSL-PORTAL ?

  class VIP-SSL-PORTAL

    loadbalance vip inservice

    loadbalance policy PORTAL_HTTPS_DEFAULT

    loadbalance vip icmp-reply active

   nat dynamic 1 vlan 260

    appl-parameter http advanced-options PERSISTENCE-REBALANCE

    ssl-proxy server SERVER_PORTAL

Hi Hamzah,

No i was talking for redirection so you don't need NAT here since traffic is never given to any realserver but ACE itself redirects  it. It shouldn't make any difference but worth a try if it is not working.

Also, i just noticed that you are using end to end SSL which means front and back end connections would be SSL, so why you have defined rserver with port 80 in serverfarm?

serverfarm host WWW_PORTAL_SFARM

rserver PORTAL-A 80-------------------->80 is for http,  you should be using the port on which the server listens. If server listens on port 80 then it means that you cannot use end to end and hence you should remove SSL-PROXY CLIENT configuration from policy map.

inservice

policy-map multi-match L4_PORTAL_LB

class VIP-WWW-PORTAL

loadbalance vip inservice

loadbalance policy PORTAL_HTTP_DEFAULT

loadbalance vip icmp-reply active

nat dynamic 1 vlan 260----------->Remove this.

Regards,

Kanwal

Review Cisco Networking for a $25 gift card