Cisco CSS 11500 HTTP-to-HTTPS (SSL) Redirection
generalnetworkerror Posted on Tue, November 13, 2012 at 1:27 tagged best current practice, http, ssl, webns in load balancing A simple approach to handle sites that require SSL (HTTPS) encryption is to not allow plain-text HTTP, but that’s not very user-friendly and no one likes having to type extra characters into the browser to indicate HTTPS as the URI scheme. So the elegant solution for the client-side request is to allow HTTP, but then to redirect all such requests over to SSL. If you’re doing SSL Acceleration on your CSS 11500 load-balancer anyway, and you have public facing sites, you should also be doing HTTP-to-HTTPS (SSL) redirection.
Assuming you already have SSL termination configured, you’ll already have SSL and HTTP VIPs that work together. The trick is to add a different VIP (virtual IP adddress) for the SSL proxy and convert the existing HTTP rule to a redirect rule. Optionally, you could use a redirect service in the rule instead. Entire config snippets available here.
The relevant parts of your config may initially look like:
owner www.example.com
content http
vip address 10.x.y.z
port 80
protocol tcp
add service web01
add service web02
balance leastconn
active
content ssl
add service ssl-accel1
vip address 10.x.y.z
port 443
protocol tcp
application ssl
active
A SSL rule is paired with a HTTP rule, using the same VIP to keep things simple (or in case direct HTTP access is permitted internally via the DNS name mapped to these rules). An SSL proxy ties up all the encryption pieces such as RSA key and cert, and mates the SSL VIP to the HTTP VIP.
When it’s undersireable to allow HTTP traffic, you’ll need to add a third rule like the example below under the same www.example.com owner which is identical to the HTTP rule except for the 10.a.b.c VIP:
content default-proxy
content http
vip address 10.a.b.c
port 80
protocol tcp
add service web01
add service web02
balance leastconn
active
Then convert the HTTP rule to a redirect like:
content http
vip address 10.x.y.z
url “/*”
port 80
protocol tcp
redirect “https://www.example.com”
active
Any plain-text requests are sent to https://www.example.com (no path) regarldess of the original URI path or query parameters.
Optionally, you could use a redirect service in the rule to preserve the URI path and query parameters.
service example-redirect
type redirect
no prepend-http
domain “https://www.example.com”
keepalive type none
active
Do not use a redirect-string (omitted above) in the redirect service which will not preserve the URI path and query parameters as the domain command does. Note the “no prepend-http” that is required to change the URI scheme from HTTP to HTTPS.
If you go the optional route of using a redirect service, then you should remove the redirect command in the http rule if you added it earlier and replace with the example-redirect service.
owner www.example.com
content http
…
add service example-redirect
And finally, modify your SSL proxy virtual server to send the plain-text requests to 10.a.b.c. SSL virtual server still matches the VIP address on 10.x.y.z.
Entire config snippets available here.
When www.example.com points to 10.x.y.z, requests to http://www.example.com get redirected to https://www.example.com (SSL), and the SSL proxy on the CSS maps to the 10.a.b.c VIP that matches the default-proxy content rule above. Any application links should either be protocol-independent or set based on a HTTP header-insert from the CSS 11500 to the web server to indicate if the original request came on HTTPS as the web server only sees HTTP.
20121113.3
Reader Comments