Advertisement

Powered by Squarespace
Popular Categories
Blog Posts
Discussion Activity
Cisco Live 365
« End-of-Life (EoL) for the Cisco ACE Load-Balancer | Main | Cisco CSS 11500 L5 Rules via SSL Acceleration (proxy) »
Tuesday
Nov132012

Cisco CSS 11500 HTTP-to-HTTPS (SSL) Redirection

A simple approach to handle sites that require SSL (HTTPS) encryption is to not allow plain-text HTTP, but that’s not very user-friendly and no one likes having to type extra characters into the browser to indicate HTTPS as the URI scheme.  So the elegant solution for the client-side request is to allow HTTP, but then to redirect all such requests over to SSL.  If you’re doing SSL Acceleration on your CSS 11500 load-balancer anyway, and you have public facing sites, you should also be doing HTTP-to-HTTPS (SSL) redirection.

Assuming you already have SSL termination configured, you’ll already have SSL and HTTP VIPs that work together.  The trick is to add a different VIP (virtual IP adddress) for the SSL proxy and convert the existing HTTP rule to a redirect rule.  Optionally, you could use a redirect service in the rule instead.  Entire config snippets available here.

The relevant parts of your config may initially look like:

owner www.example.com
 content http
    vip address 10.x.y.z
    port 80
    protocol tcp
    add service web01
    add service web02
    balance leastconn
    active
  content ssl
    add service ssl-accel1
    vip address 10.x.y.z
    port 443
    protocol tcp
    application ssl
    active

A SSL rule is paired with a HTTP rule, using the same VIP to keep things simple (or in case direct HTTP access is permitted internally via the DNS name mapped to these rules).  An SSL proxy ties up all the encryption pieces such as RSA key and cert, and mates the SSL VIP to the HTTP VIP.

When it’s undersireable to allow HTTP traffic, you’ll need to add a third rule like the example below under the same www.example.com owner which is identical to the HTTP rule except for the 10.a.b.c VIP:

content default-proxy
   content http
    vip address 10.a.b.c
    port 80
    protocol tcp
    add service web01
    add service web02
    balance leastconn
    active

Then convert the HTTP rule to a redirect like:

content http
  vip address 10.x.y.z
  url “/*”
  port 80
  protocol tcp
  redirect “https://www.example.com”
  active

Any plain-text requests are sent to https://www.example.com (no path) regarldess of the original URI path or query parameters.

Optionally, you could use a redirect service in the rule to preserve the URI path and query parameters.

 service example-redirect
 type redirect
  no prepend-http
  domain “https://www.example.com”

  keepalive type none
  active 

Do not use a redirect-string (omitted above) in the redirect service which will not preserve the URI path and query parameters as the domain command does.  Note the “no prepend-http” that is required to change the URI scheme from HTTP to HTTPS.  

If you go the optional route of using a redirect service, then you should remove the redirect command in the http rule if you added it earlier and replace with the example-redirect service. 

 owner www.example.com
  content http
  …
  add service example-redirect

And finally, modify your SSL proxy virtual server to send the plain-text requests to 10.a.b.c.  SSL virtual server still matches the VIP address on 10.x.y.z.  

Entire config snippets available here.

When www.example.com points to 10.x.y.z, requests to http://www.example.com get redirected to https://www.example.com (SSL), and the SSL proxy on the CSS maps to the 10.a.b.c VIP that matches the default-proxy content rule above.  Any application links should either be protocol-independent or set based on a HTTP header-insert from the CSS 11500 to the web server to indicate if the original request came on HTTPS as the web server only sees HTTP.

20121113.3

Reader Comments

There are no comments for this journal entry. To create a new comment, use the form below.

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
All HTML will be escaped. Textile formatting is allowed.