Cisco Community
English
Register
Get a preview of new Cisco Intersight innovations – Join the Customer Connection Program to register for January 22 Data Center briefing
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

SSL URL Rewrite with wildcard on ACE

4868
Views
0
Helpful
0
Comments
Simon Chow
Simon Chow Cisco Employee
‎06-18-2011 10:48 PM
edited on: ‎06-18-2011 ‎10:48 PM

Introduction

 

When doing SSL termination on ACE, there are times when the rserver  might not have knowledge that the client only see https and would send a  HTTP redirect with a http link (instead of https). This would  inadvertently cause the client to leave the encypted session. It's  possible to have ACE rewrite the http link to https. This document shows  an example configuration to achieve the ACE SSL URL rewrite functionality.


client browser---------https--------ACE-------http---------rserver

In the following example, the rserver would send a HTTP 301 redirect with link http://foo2.bar.com, and the ACE would rewrite the link to https://foo2.bar.com

 

Version

 

The configuration shown in this document is created on ACE 4710 Appliance running A3(2.5) version software.

For the ACE module URL rewrite is supported on version c6ace-t1k9-mz.A2_1.bin or later. Remember that both ACE will need to have certificates and keys.

 

Key Config

 

The key configuration is under the "action-list" command. The following commands to rewrite http://foo2.bar.com to https://foo2.bar.com

 

action-list type modify http SSL_URL_REWRITE
ssl url rewrite location "foo2\.bar\..*"

 

Note, the use of wildcard with .*

This would rewrite http://foo2.bar.com to https://foo2.bar.com

or http://foo2.bar.org to https://foo2.bar.org

or http://foo2.bar.xyz to https://foo2.bar.xyz etc...

 

Two dots is needed for the wildard to work. The "\." (escape  character \ and .) means to match a dot. Then ".*" means wildcard (zero or  more of any character).

 

For the list a list of the supported characters ACE use in  regular expressions. Please see "Special Characters for Matching String  Expressions" in the following link:

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/ssl/guide/terminat.html#wp1185066

 

Detail Configuration

 

access-list INBOUND line 8 extended permit ip any any

parameter-map type http PERSISTENCE-REBALANCE
 persistence-rebalance

\\define the rserver host
rserver host SERVER1
 ip address 10.66.85.162
 inservice

\\as mentioned above in Key Config section
action-list type modify http SSL_URL_REWRITE
 ssl url rewrite location "foo2\.bar\..com"

\\define serverfarm with the rserver
serverfarm host HTTP-SFARM
 rserver SERVER1 80
   inservice

ssl-proxy service TEST-CERT
 key simon.key
 cert simon.crt

\\select the address of the server defined in serverfarm
sticky ip-netmask 255.255.255.255 address source SOURCEIP-STICKY-HTTP-SFARM
 replicate sticky
 serverfarm HTTP-SFARM

\\class map to match SSL traffic to VIP address
class-map match-all SSL-VIP
 2 match virtual-address 10.66.85.77 tcp eq https

\\class map to match management traffic
class-map type management match-any remote_access
 202 match protocol icmp any
 204 match protocol ssh any
 207 match protocol snmp any
 208 match protocol telnet any
 209 match protocol http any
 210 match protocol https any
 211 match protocol xml-https any

\\policy map to permit traffic matched by remote_access class
policy-map type management first-match management
 class remote_access
   permit

\\policy map to do ssl url rewrite on serverfarm address selected
policy-map type loadbalance first-match LB-L7-POLICY
 class class-default
   sticky-serverfarm SOURCEIP-STICKY-HTTP-SFARM
   action SSL_URL_REWRITE

\\policy map to define action on traffic matched by SSL-VIP class
policy-map multi-match LB-L4-POLICY
 class SSL-VIP
   loadbalance vip inservice
   loadbalance policy LB-L7-POLICY
   loadbalance vip icmp-reply
   nat dynamic 1 vlan 805
   appl-parameter http advanced-options PERSISTENCE-REBALANCE
   ssl-proxy server TEST-CERT

interface vlan 805
 description "Client Side"
 ip address 10.66.85.75 255.255.255.224
 alias 10.66.85.74 255.255.255.224
 peer ip address 10.66.85.76 255.255.255.224
 access-group input INBOUND
 nat-pool 1 10.66.85.78 10.66.85.78 netmask 255.255.255.255
 service-policy input management
 service-policy input LB-L4-POLICY
 no shutdown

ip route 0.0.0.0 0.0.0.0 10.66.85.65

 

The above configuration should work fine for URL rewrite, in case you need URL redirection configure following.

 

rserver redirect url1

  webhost-redirection  https://abc.com/xyx  302

Inservice

 

You can just configure rserver redirect and call this server in serverfarm. Configure a policy map as shown above and also associate SSL proxy with the corresponding class under policy map.You main URL should come to a VIP specified in class Test and then it will be LB to serverfarm and should be redirected since SSL offloading is there in place.

 

Related information

 

ACE behavior with static sticky and rserver down situation

Deploying GSS and ACE in least loaded GSLB based on VIP conn number

Configure ACE with SSL Termination and URL Rewrite

0 Helpful
Latest Contents
3164 "Failed to process nxos image". Pre-upgrade check faile...
Created by ManuelRubio2020 on 01-17-2020 07:32 AM
0
0
0
0
Hello Guys, I am trying to flash a 3164 from 7.0(3)I7(5a) to  nxos.7.0.3.I4.8.bin But i keep getting the below error:I do have space so i do not think it's a space issue.Any ideas? Thank you.  switch# sh verCisco Nexus Operating S... view more
Route Leaking issue in Global to vrf
Created by nikhil93 on 01-17-2020 02:13 AM
1
0
1
0
Hello Everyone, We recently are doing a cloud setup and facing an issue with VRF Route-Leaking. Let me explaing you the Scenario.Bellow is the simple network connection diagram. I have attached the detailed one on the discussion. Problem Stateme... view more
Question on using postman to configure a static vpc port bin...
Created by jgesualdi on 01-16-2020 01:26 PM
2
0
2
0
I use postman in the following way to configure a static epg port binding, a vpc connection. https://apic01/api/node/mo/uni/tn-tn_{{tenant}}/ap-ap_{{ap}}/epg-epg_{{epg}}_{{tenant}}.json {"fvRsPathAtt": {"attributes": {"encap": "vlan-{{epg}}","tD... view more
service graphs and lockin
Created by jmattbullen on 01-16-2020 12:23 PM
0
0
0
0
How does everyone feel about service graphs in a brownfield network centric cutover?  maybe I'm an old school engineer but I was taught that if you have to do a Pbr then your design is wrong.  they are a pain to troubleshoot because you always f... view more
Anyone deploy Aci virtual Edge(AVE) in prod yet?
Created by jmattbullen on 01-16-2020 11:57 AM
0
0
0
0
I've deployed on our test cluster and it was an easy install with no issues but thats with just a few vms pinging back and forth with some ftp transfers.  Has anyone deployed in production yet?  Any regrets?
CreatePlease to create content
Discussion
Blog
Document
Video
Content for Community-Ad
FusionCharts will render here