Introduction
When doing SSL termination on ACE, there are times when the rserver might not have knowledge that the client only see https and would send a HTTP redirect with a http link (instead of https). This would inadvertently cause the client to leave the encypted session. It's possible to have ACE rewrite the http link to https. This document shows an example configuration to achieve the ACE SSL URL rewrite functionality.
client browser---------https--------ACE-------http---------rserver
In the following example, the rserver would send a HTTP 301 redirect with link http://foo2.bar.com, and the ACE would rewrite the link to https://foo2.bar.com
Version
The configuration shown in this document is created on ACE 4710 Appliance running A3(2.5) version software.
For the ACE module URL rewrite is supported on version c6ace-t1k9-mz.A2_1.bin or later. Remember that both ACE will need to have certificates and keys.
Key Config
The key configuration is under the "action-list" command. The following commands to rewrite http://foo2.bar.com to https://foo2.bar.com
action-list type modify http SSL_URL_REWRITE
ssl url rewrite location "foo2\.bar\..*"
Note, the use of wildcard with .*
This would rewrite http://foo2.bar.com to https://foo2.bar.com
or http://foo2.bar.org to https://foo2.bar.org
or http://foo2.bar.xyz to https://foo2.bar.xyz etc...
Two dots is needed for the wildard to work. The "\." (escape character \ and .) means to match a dot. Then ".*" means wildcard (zero or more of any character).
For the list a list of the supported characters ACE use in regular expressions. Please see "Special Characters for Matching String Expressions" in the following link:
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/ssl/guide/terminat.html#wp1185066
Detail Configuration
access-list INBOUND line 8 extended permit ip any any
parameter-map type http PERSISTENCE-REBALANCE
persistence-rebalance
\\define the rserver host
rserver host SERVER1
ip address 10.66.85.162
inservice
\\as mentioned above in Key Config section
action-list type modify http SSL_URL_REWRITE
ssl url rewrite location "foo2\.bar\..com"
\\define serverfarm with the rserver
serverfarm host HTTP-SFARM
rserver SERVER1 80
inservice
ssl-proxy service TEST-CERT
key simon.key
cert simon.crt
\\select the address of the server defined in serverfarm
sticky ip-netmask 255.255.255.255 address source SOURCEIP-STICKY-HTTP-SFARM
replicate sticky
serverfarm HTTP-SFARM
\\class map to match SSL traffic to VIP address
class-map match-all SSL-VIP
2 match virtual-address 10.66.85.77 tcp eq https
\\class map to match management traffic
class-map type management match-any remote_access
202 match protocol icmp any
204 match protocol ssh any
207 match protocol snmp any
208 match protocol telnet any
209 match protocol http any
210 match protocol https any
211 match protocol xml-https any
\\policy map to permit traffic matched by remote_access class
policy-map type management first-match management
class remote_access
permit
\\policy map to do ssl url rewrite on serverfarm address selected
policy-map type loadbalance first-match LB-L7-POLICY
class class-default
sticky-serverfarm SOURCEIP-STICKY-HTTP-SFARM
action SSL_URL_REWRITE
\\policy map to define action on traffic matched by SSL-VIP class
policy-map multi-match LB-L4-POLICY
class SSL-VIP
loadbalance vip inservice
loadbalance policy LB-L7-POLICY
loadbalance vip icmp-reply
nat dynamic 1 vlan 805
appl-parameter http advanced-options PERSISTENCE-REBALANCE
ssl-proxy server TEST-CERT
interface vlan 805
description "Client Side"
ip address 10.66.85.75 255.255.255.224
alias 10.66.85.74 255.255.255.224
peer ip address 10.66.85.76 255.255.255.224
access-group input INBOUND
nat-pool 1 10.66.85.78 10.66.85.78 netmask 255.255.255.255
service-policy input management
service-policy input LB-L4-POLICY
no shutdown
ip route 0.0.0.0 0.0.0.0 10.66.85.65
The above configuration should work fine for URL rewrite, in case you need URL redirection configure following.
rserver redirect url1
webhost-redirection https://abc.com/xyx 302
Inservice
You can just configure rserver redirect and call this server in serverfarm. Configure a policy map as shown above and also associate SSL proxy with the corresponding class under policy map.You main URL should come to a VIP specified in class Test and then it will be LB to serverfarm and should be redirected since SSL offloading is there in place.
Related information
ACE behavior with static sticky and rserver down situation
Deploying GSS and ACE in least loaded GSLB based on VIP conn number
Configure ACE with SSL Termination and URL Rewrite