08-19-2011 05:08 AM
We have IDM application with SSL offloading in ACE with action REWRITE statement. We are using IDM for both HTTP and HTTPS applications authentication. But we have problem for HTTP sites like after IDM authentication HTTP header will be rewrite as HTTPS.
HTTP VIP --> IDM VIP -->Converted to HTTPS because of action REWRITE
IDM VIP has the following config:
------------------------------------------------
action-list type modify http REWRITE
ssl url rewrite location ".*"
policy-map type loadbalance first-match LB-rtp-login-stg-S443
class class-default
sticky-serverfarm SG-rtp-login-stg-S80
action REWRITE
insert-http IS_SSL header-value "ssl"
But if we remove action REWRITE then HTTPS applications are breaking after IDM authentication. How to fix this issue?
08-19-2011 01:20 PM
Guys,
Any body is having any idea about this???
08-22-2011 02:15 AM
Can you show me your multi-match policy as well? I guess you have a different class for http and https. Are you using the same loadbalance policy for http and https?
Thanks,
Olivier
08-22-2011 04:03 AM
Yes. we have separate multi-match policy for HTTP and HTTPS IDM VIP.
policy-map multi-match GP-SUBPROD-01-VIP
class VC-rtp-login-stg-S80
loadbalance vip inservice
loadbalance policy LB-rtp-login-stg-S80
loadbalance vip icmp-reply active
nat dynamic 1 vlan 2513
nat dynamic 1 vlan 2514
connection advanced-options TCP_PARAM_MAP
class VC-rtp-login-stg-S443
loadbalance vip inservice
loadbalance policy LB-rtp-login-stg-S443
loadbalance vip icmp-reply active
appl-parameter http advanced-options http_paramater_map
ssl-proxy server SO-rtp-login-stg-S
connection advanced-options TCP_PARAM_MAP
08-22-2011 06:28 AM
I assume you didn't apply the rewrite action to the LB-rtp-login-stg-S80 policy. Do you maybe have some network captures exhibiting the problem?
Thanks,
Olivier
08-22-2011 07:21 AM
Well. the problem with only HTTPS( VC-rtp-login-stg-S443), As i explained before. This is IDM application(VIP) and we need to use HTTPS only as this is internet based. So the problem with only if other HTTP application gets authenticated with this IDM HTTPS VIP then the result is HTTPS (original request was HTTP).
Application (1) HTTP VIP --> IDM VIP -->Converted to HTTPS of Application (1) because of action REWRITE
I hope you understood the problem.
08-22-2011 07:49 AM
08-23-2011 09:31 PM
Hi oliver,
Do you have any suggestion
08-24-2011 02:21 AM
You basically need to rewrite the action-list so that it doesn't match
http://stagesupport.netap.com. Currently it is matching everything.
You should try to have a sniffer trace on the server side so that you can confirm the URL present in the Location header of the http redirection
Olivier
08-24-2011 11:22 PM
What do you want to put exactly under action list. Please give me some example.
08-25-2011 01:11 AM
Just have a look at this:
In the example, ACE is configured to rewrite location headers matching www.cisco.com only. You should do the same: have a restricted list of urls that need to be rewrite in http redirections.
Thanks,
Olivier
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide