Application Delivery (ADX)

Reply
New Contributor
Posts: 3
Registered: ‎07-22-2009

http -> https redirect not working

I'm trying to redirect all http traffic to https.  Our config is listed below.  Any assistance would be greatly appreciated.

csw-policy "http-redirect"
default redirect "*" "*" ssl
!

server real dsmweb01 10.10.30.50
port ssl
port ssl healthck dsmweb01_ssl
port ssl keepalive
port ssl l7-bringup-interval 15
port http
port http url "HEAD /"
!

server virtual dsm 10.10.32.69
port http
port http csw-policy "http-redirect"
port http csw
  bind http dsmweb01 http dsmweb02 http dsmweb03 http
bind ssl dsmweb01 ssl dsmweb02 ssl dsmweb03 ssl
!

Super Contributor
Posts: 316
Registered: ‎05-01-2009

Re: http -> https redirect not working

The config does not look to bad. It is basically what you have to configure to redirect traffic from http to https as you can see here:

http://community.brocade.com/home/docs/DOC-1574

I assume your request is going to http://10.10.32.69/... and you would like to this a redirect to https://10.10.32.69/... - correct? What type of hardware are you talking about and what is the release you are using?

Do you have any debug details like the output of url debug or a trace of the traffic?

Super Contributor
Posts: 316
Registered: ‎05-01-2009

Re: http -> https redirect not working

Any update on related to this one? Have you checked what is happening using a sniffer? Talking about URL debug you have to do the following assuming a.b.c.d is a test client IP, I do assume as well that you are using a 1 BPs system like the 4G or a WSM6-1 in slot 1:

> ena

# rconsole 1 1

1/1#url debug 3 <a.b.c.d>

SEND A REQUEST

DEBUG OUTPUT HERE

1/1#url debug 0 <a.b.c.d>

1/1#rconsole-exit

#

Cheers!

New Contributor
Posts: 3
Registered: ‎07-22-2009

Re: http -> https redirect not working

The unit having the issue is:

ServerIron 4G
SW: (1)11.0.00bTJ3

Running a debug indicates that the HTTP reply is never recieved by the client.  A wireshark capture from the client side confirms this.  I don't know how this is possible though??  Without the redirect in place both HTTP and HTTPS work just fine.

Any ideas?


C 13440: SYN recv: re: 10.10.10.159:13440, lo: 10.10.32.69:80
        send SYN ACK to C: re 10.10.10.159:13440, lo 10.10.32.69:80
C 13440: SYN_RECV, data = 0, re: 10.10.10.159:13440, lo: 10.10.32.69:80
        ACK recv, SYN_RECV->WAIT_REQ
C 13440: WAIT_REQ, data = 704, re: 10.10.10.159:13440, lo: 10.10.32.69:80
        URL </> Length = 1
        No CSW rule hit, take default action 2
        Redirect to HTTP/1.1 302 Moved Temporarily
Server: HTTP Proxy/1.0
Connection: Close
Content-Length: 0
Location: https://10.10.32.69/, 00
        send Page to client
URL: send syn ack, no arp entry
        State changed to PAGE REPLIED, exp_seq(2154035251), next_seq_to_send(7536362)
C 13440: PAGE_REPLD, data = 704, re: 10.10.10.159:13440, lo: 10.10.32.69:80
C 13440: PAGE_REPLD, data = 704, re: 10.10.10.159:13440, lo: 10.10.32.69:80
C 13440: PAGE_REPLD, data = 536, re: 10.10.10.159:13440, lo: 10.10.32.69:80

Super Contributor
Posts: 316
Registered: ‎05-01-2009

Re: http -> https redirect not working

This looks like a problem with routing or whatever. Layer 7 switching is going to enter different code parts than normal Layer 4 switching. It is working without the redirect as you have mentioned but that does not tell us anything except that there is a routing / forwarding problem as soon as CSW is getting used.

Is it possible to get the complete configuration? I have seen things like that with some feature combinations involving PBR or full tcp-proxy and so on. Otherwise try to get a trace of the traffic at the ethernet level from the ServerIron (a.b.c.d is the IP address of a test client):

> ena

# debug filter

(debug-filter)# sp 1

(debug-filter)# reset

(debug-filter)# ip dest a.b.c.d

(debug-filter)# exit

(debug-filter)# sp 2

(debug-filter)# reset

(debug-filter)# ip src a.b.c.d

(debug-filter)# exit

(debug-filter)# buff 1024

(debug-filter)# pack whole

(debug-filter)# start

DO A REQUEST HERE

(debug-filter)# stop

(debug-filter)# view bp 1 1

(debug-filter)# sum

SUMMARY IS HERE

(debug-filter)# ascii 1

PACKET #1 IS HERE

(debug-filter)# ascii 2

PACKET #2 IS HERE

(...)

(debug-filter)# ascii <--- n depends on the output of debug filter

PACKET #n IS HERE

(debug-filter)# exit

#

I would suggest as well to raise a ticket for this - it is not the intention of this community to troubleshot problems.

New Contributor
Posts: 3
Registered: ‎07-22-2009

Re: http -> https redirect not working

Turns out the smart defense on our checkpoint firewall was pulling the reply from the 4g off the wire.  Not sure why??

Thanks for your help.

Super Contributor
Posts: 316
Registered: ‎05-01-2009

Re: http -> https redirect not working

Looks like it is smarter than smart... :-)

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.