Showing results for 
Search instead for 
Did you mean: 

Cisco ACE: HTTP to HTTPS redirection with SSL Termination




In Cisco ACE configuration Real servers are dedicated physical servers that you typically configure in groups called server farms. Server farms are groups of networked real servers that contain the same content and that typically reside in the same physical location in a data center. Web sites often comprise groups of servers configured in a server farm. Load-balancing software distributes client requests for content or services among the real servers based on the configured policy and traffic classification, server availability and load, and other factors.
This document describes a scenario where ACE is used to redirect traffic from HTTP connection to HTTPS connection using SSL termination.


SSL Termination

SSL termination occurs when the ACE, acting as an SSL proxy server, terminates an SSL connection from a client and then establishes a TCP connection to an HTTP server. When the ACE terminates the SSL connection, it decrypts the ciphertext from the client and transmits the data as clear text to an HTTP server. In order for the Cisco ACE to be able to terminate SSL sessions, it will need to be configured with both an SSL certificate and a corresponding SSL key. SSL files (both certificate and key) can either be generated using a tool such as OpenSSL or requested from a certificate authority. The SSL termination configuration begins like the basic Layer 4 load-balancing configuration, by defining a VIP and corresponding server farm and rservers. Although the VIP can be configured with a port of “any,” the ACE will do a TCP reset on any non-SSL connections. To prevent this, it is recommended that you bind the VIP to a port.



In this example clients that connect to the VIP on port 80 (HTTP) will be redirected to the same FQDN and path using port 443 (HTTPS).  Clients will then open an HTTPS session to the ACE where the SSL session will be terminated and load balanced to the real servers.

You can use redirect rserver to redirect HTTP connections to HTTPS. The HTTP-to-HTTPS redirect in this example is a 301 redirect (permanent).  The 301 can be either removed or changed to 302 to revert to the default of a temporary redirect.

rserver redirect REDIRECT-TO-HTTPS
 webhost-redirection https://%h%p 301

rserver host SERVER_01
  ip address

rserver host SERVER_02
  ip address

ssl-proxy service SSL_SERVICE
  key mykey.pem
  cert mycert.pem

serverfarm redirect REDIRECT-SERVERFARM

serverfarm host REAL_SERVERS
  rserver SERVER_01 80
  rserver SERVER_02 80

class-map match-all HTTP-VIP
  2 match virtual-address tcp eq http
class-map match-all HTTPS-VIP
  2 match virtual-address tcp eq https

policy-map type loadbalance first-match REDIRECT-PM
  class class-default

policy-map type loadbalance first-match LOAD-BALANCE-PM
  class class-default
   serverfarm REAL-SERVERS

policy-map multi-match WEB-TRAFFIC
  class HTTP-VIP
    loadbalance vip inservice
    loadbalance policy REDIRECT-PM
    loadbalance vip icmp-reply
  class HTTPS-VIP
    loadbalance vip inservice
    loadbalance policy LOAD-BALANCE-PM
    loadbalance vip icmp-reply active
    ssl-proxy server SSL_SERVICE


HTTPS to HTTPS Redirection

In case of HTTPS, to do the redirection, ACE should first be able to look into the HTTP header and that is possible by doing ssl termination and then loadbalancing the request to redirect serverfarm. The URL/URI rewrite feature was introduced in A5 train. The HTTP URL rewrite feature enables the ACE to rewrite URI/URL pathnames in HTTP requests. You can rewrite the URL value in an HTTP request from a client using the url rewrite command in action-list modify configuration mode.

url rewrite url_regex replace new_url_regex


Related Information

Configuring SSL Termination
SSL Termination on the Cisco Application Control Engine
ACE URL rewrite SSL from HTTP to HTTPS