Application Delivery (ADX)

Reply
N/A
Posts: 1
Registered: ‎08-26-2012

How to redirect all HTTP requests to HTTPS and use url based forwarding.

I need to redirect all HTTP requests to HTTPS and use url based forwarding, for example http://10.1.4.32/111 request should be redirected to https://10.1.4.32/111 and balanced between the servers in the group of 10. Separately implement "redirect from HTTP to HTTPS" and "url based forwarding" I did.

I use ServerIron ADX 1000.

My config.

ver      12.4.00bT401

!

ssl profile sslprofile

keypair-file RSAkey

certificate-file test_cert

cipher-suite all-cipher-suites

allow-self-signed-cert

verify-cert-depth 4

session-cache off

ssl profile adx2

keypair-file adx2

certificate-file adx2

cipher-suite all-cipher-suites

allow-self-signed-cert

verify-cert-depth 4

session-cache off

!

server symmetric-port ethernet 8 vlan-id 2

!

server source-nat

server source-nat-ip 10.1.4.33 255.255.255.0 10.1.4.1 port-range 2

!

context default

!

server real vmapachetest01 10.1.4.51

port http

port http keepalive

port http url "HEAD /"

port http group-id  10 10

port ssl

port ssl group-id  10 10

port 8980

port 8980 group-id  10 10

port 8943

port 8943 group-id  10 10

!

server real vmapachetest02 10.1.4.52

port http

port http keepalive

port http url "HEAD /"

port ssl

port 8980

port 8943

!

server real vmapachetest03 10.1.4.53

port http

port http keepalive

port http url "HEAD /"

port ssl

port 8980

port 8943

!

server real vmapachetest04 10.1.4.54

port http

port http keepalive

port http url "HEAD /"

port http group-id  10 10

port ssl

port ssl group-id  10 10

port 8980

port 8980 group-id  10 10

port 8943

port 8943 group-id  10 10

!

!

server virtual VIP 10.1.4.32

sym-priority 50

predictor round-robin

port default disable

port http

port ssl

no port ssl sticky

port ssl ssl-terminate sslprofile

bind http vmapachetest01 http vmapachetest02 http vmapachetest03 http vmapachetest04 http

bind ssl vmapachetest01 ssl real-port http vmapachetest02 ssl real-port http vmapachetest03 ssl real-port http vmapachetest04 ssl real-port http

!

server virtual VIP2 10.1.4.36

sym-priority 50

predictor round-robin

port default disable

port http

port ssl

no port ssl sticky

port ssl ssl-terminate adx2

bind http vmapachetest01 8980 real-port http vmapachetest02 8980 real-port http vmapachetest03 8980 real-port http vmapachetest04 8980 real-port http

bind ssl vmapachetest01 8943 real-port http vmapachetest02 8943 real-port http vmapachetest03 8943 real-port http vmapachetest04 8943 real-port http

!

Contributor
Posts: 47
Registered: ‎07-14-2010

Re: How to redirect all HTTP requests to HTTPS and use url based forwarding.

Hello,

Couple of comments below.

1. 12.4 introduced multi-port bindings. No need to define port ssl, 8980, nor 8943. With this, you don't need real-port configuration. If you still use real-port, you cannot use multi-port bindings feature. These are exclusive feature.

2. Below, the first * is domain and second * is url-path. wildcard is generally recommended. ssl is redirected port 443. If you don't specify HTTP code 302 is used as location header.

csw-policy "p1"

default redirect "*" "*" ssl

3. The "offset 0 length 0" means that whole url-path is hashed into buckets. For this to work, you need to specify server-id based on each real server.

csw-policy "p2"

match "r1" persist offset 0 length 0 

default forward 10

4. Below, sample configuration in case of switch code. Router code is also fine.

ServerIronADX 1000#sh ru

!Building configuration...

!Current configuration : 3256 bytes

!

ver      12.4.00bT401

!

ssl profile sslprofile

keypair-file RSAkey

certificate-file test_cert

cipher-suite all-cipher-suites

allow-self-signed-cert

verify-cert-depth 4

session-cache off

ssl profile adx2

keypair-file adx2

certificate-file adx2

cipher-suite all-cipher-suites

allow-self-signed-cert

verify-cert-depth 4

session-cache off

!

server symmetric-port ethernet 8 vlan-id 2

!                                                                

!

no server l4-check

server source-nat

server source-nat-ip 10.1.4.33 255.255.255.0 10.1.4.1 port-range 2

!

context default

!

!

csw-rule "r1" url exists

!

csw-policy "p1"

default redirect "*" "*" ssl

!

csw-policy "p2"

match "r1" persist offset 0 length 0 

default forward 10

!

!

server real vmapachetest01 10.1.4.51

port http

port http keepalive

port http url "HEAD /"

port http server-id 1051                                        

port http group-id  10 10

!

server real vmapachetest02 10.1.4.52

port http

port http keepalive

port http url "HEAD /"

port http server-id 1052

!

server real vmapachetest03 10.1.4.53

port http

port http keepalive

port http url "HEAD /"

port http server-id 1053

!

server real vmapachetest04 10.1.4.54

port http

port http keepalive

port http url "HEAD /"

port http server-id 1054

port http group-id  10 10

!

!

server virtual VIP 10.1.4.32                                     

sym-priority 50

predictor round-robin

port default disable

port http

port http csw-policy "p1"

port http csw

port http keep-alive

port ssl

no port ssl sticky

port ssl ssl-terminate sslprofile

port ssl csw-policy "p2"

port ssl csw

port ssl keep-alive

bind http vmapachetest01 http vmapachetest02 http vmapachetest03 http vmapachetest04 http

bind ssl vmapachetest01 http vmapachetest02 http vmapachetest03 http vmapachetest04 http

!

server virtual VIP2 10.1.4.36

sym-priority 50

predictor round-robin

port default disable

port http

port http csw-policy "p1"

port http csw                                                   

port http keep-alive

port ssl

no port ssl sticky

port ssl ssl-terminate adx2

port ssl csw-policy "p2"

port ssl csw

port ssl keep-alive

bind http vmapachetest01 http vmapachetest02 http vmapachetest03 http vmapachetest04 http

bind ssl vmapachetest01 http vmapachetest02 http vmapachetest03 http vmapachetest04 http

!

ip alternative-default-gateway 10.1.4.0 255.255.255.0 10.1.4.1

vlan 1 name DEFAULT-VLAN by port

!

vlan 2 by port

untagged ethe 8

!

eventlog size 256

aaa authentication web-server default local

no enable aaa console

ip address 10.1.4.222 255.255.255.0

ip default-gateway 10.1.4.254

telnet server

username admin password .....                                    

!

5. redirection testing.

root@ub00:~# curl -v 10.1.4.32/11111

* About to connect() to 10.1.4.32 port 80 (#0)

*   Trying 10.1.4.32... connected

> GET /11111 HTTP/1.1

> User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3

> Host: 10.1.4.32

> Accept: */*

>

< HTTP/1.1 302 Moved Temporarily

< Server: HTTP Proxy/1.0

< Connection: Close

< Content-Length: 0

< Location: https://10.1.4.32/11111

<

* Closing connection #0

root@ub00:~#

root@ub00:~#

root@ub00:~# curl -v 10.1.4.36/11111

* About to connect() to 10.1.4.36 port 80 (#0)

*   Trying 10.1.4.36... connected

> GET /11111 HTTP/1.1

> User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3

> Host: 10.1.4.36

> Accept: */*

>

< HTTP/1.1 302 Moved Temporarily

< Server: HTTP Proxy/1.0

< Connection: Close

< Content-Length: 0

< Location: https://10.1.4.36/11111

<

* Closing connection #0

root@ub00:~#

6. url hash testing. same url always goes to same real server.

root@ub00:~# curl -v -k  https://10.1.4.36/111111

Thanks.

//Kono

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.

vADC is now Pulse Secure
Download FREE NVMe eBook