04-01-2003 07:22 PM
I am doing ssl termination on a 11503. sessions start fine and data flows fine until the web servers sitting behind the css start supplying fully qualified url's "http://yada...com" to the clients, so the incoming request are going directly to the server via a different session and then the browser gets the mixed-secure/unsecure message, but works fine. Can I intercept and send a redirect back to the browser to go to https://vip when it comes in on 80? Iplanet says this cannot be changed on the webserver.
thanks
Dennis
04-02-2003 07:14 AM
you need the urlrewrite command that is available in the new 7.20 version.
This command is similar to the existing urlrewrite command on the SCA.
Gilles.
04-02-2003 08:49 AM
The server isn't using 302 redirects, the fully qualified urls are in the web pages.
I was able to get it do work, but I would need to have a rule/service for every url requested to get it to work.
is there a way to get the url "http://x.com/GOHERE" appended in the redirect https://x.com/GOHERE" dynamically?
*bad: The ssl_redirect needed an ip address outside of the box, I used the ip on a workgroup switch to keep the service alive. I couldn't point it directly at the vip.
here is the config.
!Generated on 04/02/2003 08:29:39
!Active version: sg0710003 "cisco 11503"
configure
!*************************** GLOBAL ***************************
x
ssl associate rsakey x x
ssl associate cert x x
ssl associate dsakey x x
ssl associate dhparam x x
x
!************************* INTERFACE *************************
interface 1/1
trunk
phy 1Gbits-FD-no-pause
vlan 15
interface 1/2
trunk
phy 1Gbits-FD-no-pause
vlan 15
interface 2/1
bridge vlan 15
phy 100Mbits-FD
!************************** CIRCUIT **************************
circuit VLAN15
ip address 168.183.x.44 255.255.255.192
!*********************** SSL PROXY LIST ***********************
ssl-proxy-list x
ssl-server 1
ssl-server 1 vip address 168.183.x.43
ssl-server 1 rsakey x
ssl-server 1 rsacert x
ssl-server 1 cipher rsa-with-rc4-128-md5 168.183.x.43 81
active
!************************** SERVICE **************************
service css1
ip address 168.183.x.47
protocol tcp
keepalive type http
port 81
active
service css2
ip address 168.183.x.46
protocol tcp
port 81
keepalive type http
active
service ssl_Module1
type ssl-accel
keepalive type none
slot 3
add ssl-proxy-list x
active
service ssl_redirect
type redirect
no prepend-http
port 443
ip address 168.183.x.49
redirect-string https://x.com
active
!*************************** OWNER ***************************
owner securemail
content sm-http
url "/*"
protocol tcp
port 80
redirect "https://x.com"
vip address 168.183.x.43
add service ssl_redirect
active
content sm-ssl
vip address 168.183.x.43
application ssl
protocol tcp
port 443
add service ssl_Module1
active
content sm81
protocol tcp
vip address 168.183.x.43
port 81
add service css1
add service css2
active
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide