Use ACE to redirect or insert a WWW in a client request
I am using ACE 4710s running 4.1 to load balance web traffic across our web server farms. Redirection is configured to redirect http to https. There is a new requirement to redirect a request that does not include the "www" in the URL to include the "www". In other words, if a client merely types "mytesturl.com/test1" the ACE is to redirect or rewrite and insert the www so the request becomes"www.mytesturl.com/test1". I am searching through the documentation, but thought I would pick the collective brains of the community at the same time to see who can come up with the correct answer first. Below is a sample of the working config.
Thanks in advance,
mb
rserver host RS_TEST_01
description ***Test Producation Host***
ip address 10.64.64.45
inservice
rserver redirect RD_EC
description ***TEST Sub-Site***
webhost-redirection https://www.test.com/EC/
inservice
rserver redirect http
webhost-redirection https://%h%p 301
inservice
serverfarm redirect REDIRECT
rserver http
inservice
serverfarm host SF_TEST
rserver RS_TEST_01 80
inservice
serverfarm redirect SF_EC
description ***Test Sub-Site***
rserver RD_EC
inservice
sticky ip-netmask 255.255.255.0 address both STICKY_TEST_1
timeout 600
replicate sticky
serverfarm SF_TEST
ssl-proxy service SSL_TEST_1
key TEST_KEY
cert TEST_CERT
chaingroup VERISIGN
ssl advanced-options SSL_TERMINATION
class-map match-any TEST_VIP_01
description ***VIP for TEST***
2 match virtual-address 10.64.74.45 tcp eq https
class-map type http loadbalance match-all TEST_EC
2 match http url /ec*
policy-map type loadbalance first-match LB_TEST_01
description ***Load Balancing Policy for Test***
class TEST_EC
serverfarm SF_EC
policy-map type loadbalance first-match LB_REDIRECT
description L7SLBPolicy-Redirect
class class-default
serverfarm REDIRECT
policy-map multi-match NEW_WEB_POLICY
class TEST_VIP_01
loadbalance vip inservice
loadbalance policy LB_TEST_01
loadbalance vip icmp-reply active
ssl-proxy server SSL_TEST_1
interface vlan 474
description ***Front End VIP interface***
ip address 10.64.74.254 255.255.255.0
alias 10.64.74.252 255.255.255.0
peer ip address 10.64.74.253 255.255.255.0
access-group input TEST_WEB
service-policy input TEST_WEB_POLICY
no shutdown
Hi Michael,
The configuration to achieve this would be something like the one below. I wrote it without trying it in the lab first, so, make sure to test it before putting it in production (specially the syntax of the regular expressions)
rserver redirect http
webhost-redirection https://%h%p 301
inservice
rserver redirect http_and_www
webhost-redirection https://www.%h%p 301
inservice
serverfarm redirect REDIRECT
rserver http
inservice
serverfarm redirect REDIRECT_and_www
rserver http_and_www
inservice
class-map type http loadbalance match-all http_with_www
2 match http header Host header-value www.*
policy-map type loadbalance first-match LB_REDIRECT
description L7SLBPolicy-Redirect
class http_with_www
serverfarm REDIRECT
class class-default
serverfarm REDIRECT_AND_WWW
I hope this helps
Daniel
Similar Messages
-
ACE http redirect on probe fail & others
Hi everyone,
I have multiple http based application running on 2 servers and they all be referenced behind the publised VIP from the load balancer.
The probes are already there, applications are accessed but one criteria from the business is not to fail the whole server for one application. There is some independance between the apps that if one fails, the other would need to still load balanced.
I would like, if the application fails on both server, to maybe be able to redirect to another URL any request for a particular App/URL.
Any suggestions ?Hi,
To not declare a real server down if one of its applications fail, you should configure your probes in your serverfarm, and (if not already done) create a serverfarm per application.
If you want to be able to redirect a request send to a failed serverfarm, you can configure a backup serverfarm in you L7 policy map like this:
serverfarm name1 backup name2
The second serverfarm should then be of the type:
serverfarm redirect name2
webhost-redirection relocation_string [301 | 302]
where the relocation_string is the URL that should be used, 301 is permanently moved and 302 is temporarily.
For the relocation_string, you can use following special characters:
%h Inserts the hostname from the request Host header
%p Inserts the URL path string from the request
Mor info can be found in this doc:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/slb/guide/slbgd.html
Hope this helps.
Kr,
Dario -
Hi,
How to configure the ACE to redirect a https request to different url.
For example
Clients requesting https://www.mycompany.com shall be redirected to https://www1.mycompany.com.
Please let me know.Thanks in AdvanceHi Gilles,
I am having the certificate and the key.
Please check the config and confirm whether this looks fine or not.
I am using GSS to resolve www.mycompany.com and www1.mycompany.com
probe http Server1
interval 15
passdetect interval 60
request method head url /keepAlive.html
expect status 200 202
open 10
parameter-map type ssl PARAMMAP_SSL_TERMINATION
cipher RSA_WITH_3DES_EDE_CBC_SHA
cipher RSA_WITH_AES_128_CBC_SHA priority 2
cipher RSA_WITH_AES_256_CBC_SHA priority 3
rserver redirect HTTPS-REDIRECT
conn-limit max 4000000 min 4000000
webhost-redirection https://www1.mycompany.com.au 301
inservice
serverfarm host SFARM_HTTPS
rserver Server1_http 80
inservice
serverfarm redirect https-redirect
rserver HTTPS-REDIRECT
inservice
ssl-proxy service SSL_PSERVICE
key MYKEY.PEM
cert ACE-SP2.CER
ssl advanced-options PARAMMAP_SSL_TERMINATION
class-map type http loadbalance match-any HTTPS1
2 match http header Host header-value "www[.]mycompany[.]com"
class-map type http loadbalance match-any HTTPS2
2 match http header Host header-value "www1[.]mycompany[.]com"
policy-map type loadbalance first-match HTTPS
class HTTPS1
serverfarm https-redirect
class HTTP2
serverfarm SFARM_HTTPS
class class-default
serverfarm SFARM_HTTPS
policy-map multi-match HTTPS-PM
class HTTPS-RED
loadbalance vip inservice
loadbalance policy HTTPS
loadbalance vip icmp-reply active
ssl-proxy server SSL_PSERVICE
Also let me know know if there is any another way to configure the redirection other than matching host header.
Thanks in Advance -
ACE: URL redirect - not working
Hi,
I've to do url redirection from port 80 to port 443. I've following configured:
rserver redirect url.test.com-rd
webhost-redirection https://url.test.com/
inservice
serverfarm redirect url.test.com:80
description url.test.com - port 80 redirect ***
rserver url.test.com-rd
inservice
class-map match-any url.test.com:80
2 match virtual-address 192.168.1. tcp eq www
policy-map type loadbalance first-match url.test.com:80
class class-default
serverfarm url.test.com:80
policy-map multi-match LOAD_BALANCE
class url.test.com:80
loadbalance vip inservice
loadbalance policy url.test.com:80
loadbalance vip icmp-reply active
===
with above configuration, ACE is redirection port 80 to port 443 but it also rewrites the header. i.e. ACE send me to
"https://url.test.com/" if I type "http://url.test.com/abc" in the browser. It should have redirected to "https://url.test.com/abc" ( it shouldn't have removed "/abc")
could you advice how to accomplish it.
Thanks in advance...Hi,
thanks pablo. but that isn't expected response. redirected url shows the load balanced server. i.e. for the following serverfarm of port 443:
serverfarm host url.test.com:443
description url.test.com - Port 7777 ***
failaction purge
probe url.test.com:7777
rserver server1.test.com 7777
inservice
redirected url comes as "http://server1.test.com:7777/abc/" ...instead of what I expect .i.e. i expect "
https://url.test.com/abc/" -
WAAS with ACE - Use Ace or use WCCP or use PBR?
Wich is better to use, i need use two aces in HA (active x active). But the model of Switch Router is Enterasys and Enterasys dont have WCCP, but have TWCB(Transparent Web Cache Balancing (https://extranet.enterasys.com/sites/dms/DMSAssetLib/Documents/Feature%20Guides/twcbFeatGde041609.pdf), but my questions are:
1) I have two Aces too, the better is use Ace to do this or not? (In reality i think that is not the best way).
2) Somebody can say me if TWCB is the same of WCCP?
3) With PBR can i use two WAAS in active x active mode?
ThanksHi Luciano,
I tried to open the link you provided, but it's asking me for an Enterasys username and password so I couldn't find out what exactly this feature is. My guess is that it allows some transparent redirection similar to WCCP, but I have no clue how this is achieved. Therefore, I'm just going to speak about the other options.
The first thing I would like to say is that, if you have to choose between PBR and ACE, I would recommend you to use the ACE. The main problem of PBR is that the redirection needs to be statically configured based on ACLs maching on the source or destination addresses, so, you don't have any kind of redundancy if a WAE goes down, and you may have to rewrite the ACLs if something changes in your environment. With the ACE, the load-balancing is dynamically done, so, if one of the WAE fails or the traffic patterns change, the load distribution will be dynamically adjusted
Regards
Daniel -
Hi guys.
Recenty I see the following config.
rserver redirect REDIRECT-TO-HTTPS
webhost-redirection https://%h%p 301
inservice
serverfarm redirect REDIRECT-SERVERFARM
rserver REDIRECT-TO-HTTPS
inservice
I suspect this is a generic config to rewrite a redirection sent from rsever to client when it sends a http redirection and the client need to do a https conection.
My question is: this configuration will rewrite all redirect? What happens if the redirect sent from real server need to reach the client as http (not translated)
Thanks in advance.Hi David,
The above configuration is for ACE to redirect and not "Rserver". So if a user comes on http://xyz.com and you want ACE to redirect it to https"//xyz.com, you use above configuration. Now there will be a class-map condition as well as policy maps and hence ACE will redirect only those requests which will match the condition. Also, redirect and rewrite are two different functions. If you want the ACE to intercept server response and rewrite it, then you should have a look at "URL Rewrite as well as SSL rewrite" features. Again you will have proper configurations place for ACE to decide what to rewrite and what not.
Let me know if you have any questions.
Regards,
Kanwal -
Issues with using the output redirection character with newer NXOS versions?
Has anyone seen any issues with using the output redirection character with newer NXOS versions?
Am receiving "Error 0x40870004 while copying."
Simply copying a file from bootflash to tftp is ok.
This occurs for both 3CDaemon and Tftpd32 softwares.
Have tried it on multiple switches - same issue.
Any known bugs?
thanks!
The following is an example of bad (NXOS4.1.1b) and good (SANOS3.2.1a)
MDS2# sho ver | inc system
system: version 4.1(1b)
system image file is: bootflash:///m9200-s2ek9-mz.4.1.1b.bin
system compile time: 10/7/2008 13:00:00 [10/11/2008 09:52:55]
MDS2# sh int br > tftp://10.73.54.194
Trying to connect to tftp server......
Connection to server Established. Copying Started.....
TFTP put operation failed:Access violation
Error 0x40870004 while copying tftp://10.73.54.194/
MDS2# copy bootflash:cpu_logfile tftp://10.73.54.194
Trying to connect to tftp server......
Connection to server Established. Copying Started.....
|
TFTP put operation was successful
MDS2#
ck-ci9216-001# sho ver | inc system
system: version 3.2(1a)
system image file is: bootflash:/m9200-ek9-mz.3.2.1a.bin
system compile time: 9/25/2007 18:00:00 [10/06/2007 06:46:51]
ck-ci9216-001# sh int br > tftp://10.73.54.194
Trying to connect to tftp server......
|
TFTP put operation was successfulPlease check with new version of TFTPD 32 server. The error may be due to older version of TFPT server, the new version available solved this error. Files are getting uploaded with no issues.
1. Download tftpd32b.zip from:
http://tftpd32.jounin.net/tftpd32_download.html
2. Copy the tftpd32b.zip file into an empty directory and extract it.
3. Copy the file you want to transver into the directory containing tftpd32.exe.
4. Run tftpd32.exe from that directory. The "Base Directory" field should show the path to the directory containing the file you want to transfer.
At this point, the tftpserver is ready to begin serving files. As devices request files, the main tftpd32 window will log the requests.
Best Regards... -
How can i print reports to different printer by use Trigger on table after insert
Hello,
Please can any one tell me how can i print (any message) to different printer (network & local printer) by use Trigger on table after insert.
regards,
Linda.What you want to do cannot be done with PL/SQL, which does have any print utilities. However you could write something using Java Stored Procedures.
Of course the "different printer" bit will have to be data driven as triggers are not interactive.
rgds, APC -
my iphon 5 said "only compatible sim cards from a supported carrier may be used to activate iphone. please insert the sim card that came with ur phone or visit a supported carrier's store to receive a replacement sim card" what do i do??? i leave in diferent country now!!!???(((
in many countries to make phones seem less expensive
carriers pay most of the phones price for the customer
but this come at the cost of the phone only being able to work
with the carrier this is called a sim lock
the only people who can remove a sim lock is the carrier which
the phone is sim locked to they been doing it like that for at least 20 years -
Can you refer to the original host name when using a challenge redirect?
I have an authentication scheme that uses a challenge redirect to cause authentication to happen using https instead of http. However, this seems to break some of our monitoring scripts because now the credential challenge is coming from a different host name. Is it possible to refer to the original host name with some type of variable in the challenge redirect parameter? Below is an example:
1. User accesses secured URL at http://appstenv2.company.com/testurl
2. This webserver is hosting several aliases (appstenv2.company.com, appstenv4.company.com, appstenv6.company.com) and has a main name of appsdev.company.com - but is a single apache webserver where there is an application server plugin installed which will route to the desired application server environment based on the original hostname. So if a user accesses it with a name of appstenv2.company.com/testurl they will be routed to the "test 2" environment application server. If they access it as appstenv6.company.com, they would be routed to the "test 6" environment application server.
3. This webserver listens on both http and https.
4. The current challenge redirect can only redirect to a specific URL so it is set to "https://appsdev.company.com" which works fine interactively but the recorded monitoring scripts suddenly see a new hostname doing the prompting for credentials even though it is the same webserver - just a different alias.
5. If possible, I would want to do the redirect in a relative fashion rather than absolute by using the original hostname from the URL being accessed. So, if the user was accessing http://appstenv2.company.com/testurl, I would like to redirect to https://appstenv2.company.com for the basic authentication. but with the same authentication scheme, if the user accesses http://appstenv6.company.com/testurl, I would want the challenge redirect to go to https://appstenv6.company.com. I'm hoping it's possible to use some system variable like SERVER_NAME to do this.
Challenge Redirect: https://$SERVER_NAME
Does anyone know if that is available in OAM 10.1.4.3 or some other way to accomplish the same thing with a single authentication scheme?No, there are not multiple policies - the host names for all aliases on that single webserver are together in a single host identifier. And I realize I can only have a single challenge redirect, I just want to use a variable to redirect to the host name that was accessed as opposed to a static name.
-
Using 'dbms_obfuscation_toolkit.md5' in my insert statment itself
Hi all,
I am trying to use 'dbms_obfuscation_toolkit.md5' in my insert statment itself as : insert into TEST_USERS values('username', dbms_obfuscation_toolkit.md5('password'));
But i get this : ORA-06553: PLS-307: too many declarations of 'MD5' match
Can you please help me on how can i insert a string (not raw) as MD5 hash to a table???
The password column i have is 'varchar(20)'. I dont mind changing it to something else. I am also struggling to find this package definition/help, to check what db type this function returns :-)
Thanks for the help.Hello,
Try posting this to the General Database Discussions forum.
This forum is for SQLJ & JDBC. -
Use subflow or redirect step when calling another script
I have a main AA script and it calls another script when caller press option 6. When a caller presss 6 it is only transferring the call to the sub script. it does not return any values to the main script.
In this situation, is it better to use subflow or redirect step. i am think redirect step but just want to check with the user community.
thanks in advance.Either will work. Here are a few thoughts to consider in no particular order:
Subflows count toward the originally triggered scripts' maximum step count. If you have a lot of steps, this may result in an exception. Redirecting the call restarts this counter since the newly triggered script will have its own counter.
NOTE: You might think that this is exactly why the Trigger Application step in Synchronous mode was created for. Alas, there is a bug which renders this useless in 7.0(1): CSCtd72562
Redirecting the call will result in the user hearing ringback. This would occur because of the recommended two-second delay step following the Accept step of a step to prevent a race condition. I find this to be irritating enough to shy away from it mid-way through an IVR if possible.
Subflows are more difficult to debug. You need to have sufficient code embedded in them such that you can trigger and reactively debug them.
Be sure that the redirect destination of an actual CCX Trigger (CTI Route Point). Do not set it to a value in UCM that is translated or forwarded back to CCX. This results in a race condition which CCX does not handle well.
If you were asking me as an individual my answer would be this: Is the code small enough and not reused elsewhere? If yes, then put it in the first script and avoid this topic all together. If it's reused in a bunch of places from multiple scripts and does not represent a large quantity of steps: use a subflow. Otherwise use Trigger Application if you're on a new enough version or Call Redirect if you're not. -
Use of READ REPORT and INSERT REPORT
Hi Guys,
i need a small help from u guys.......
i want to know the use of READ REPORT and INSERT REPORT with Example
the requirement is...
i want to declare an internal table with fields from custom table.
if any field is aded in the custum table then that field also should get populated in the program.
Ex: custom table fields are
MANDT
BUKRS
MATNR
LIFNR
field1
field2
field3
now suppose if a new field field4 is added in the Table
then the Program should automatically pick-up the fields from FIELD1...FIELD4.
i heard by using READ and INSERT report we can do it
plz help me ...
Thanks
Sunil.:-)If you're on 46C or above, you can use the following to generate tables dynamically.
CALL METHOD CL_ALV_TABLE_CREATE=>CREATE_DYNAMIC_TABLE
EXPORTING
IT_FIELDCATALOG = GT_FIELDCAT
IMPORTING
EP_TABLE = GS_DATA_HEAD
EXCEPTIONS
GENERATE_SUBPOOL_DIR_FULL = 1
OTHERS = 2.
But you are restricted to 32 calls, if I remember correctly. If you are in a later release, you can use the RTTS classes to create internal tables dynamically, without the restriction on subroutine pools.
These classes are CL_ABAP_TYPEDESCR and subclasses.
There are a few blogs on SDN that give examples of their use.
Matt -
Using ACE RHI to inject a default route
I think I posted this onto the wrong Forum. Anyone able to advise here?
SteveK.
Posted by: stevek1 - Network Administrator, Dept Natural Resources and Mines
Apr 18, 2008, 12:04am PST
Hi Folks,
I need to provide internal devices with active-active access to our clustered firewall which sits across 2 data centres.
I need to allow internal hosts to reach external/unknown networks via a default route.
We have ACE modules in our internal network aggregation 6513s at each site.
I aim to achieve this using RHI...ie...device at site 1 reaches the internet via firewall at site 1, device at site 2 reaches internet via firewall at site 2 (due to better route). If the firewall is inaccessible from site 2, ACE at site 2 removes the route from the MSFC using RHI and site 2 device traffic is re-routed to the site 1 exit point.
Has anyone out there done this before?
Regards, Steve.
| Outline | Subscribe | E-Mail this Message
Replied by: stevek1 - Network Administrator, Dept Natural Resources and Mines - Apr 20, 2008, 6:48pm PST
Hi Folks,
It's Steve here again. I haven't had a response to my query as yet, but basically I need to know the validity of using ACE RHI to inject a default route as opposed to a host route.
Can anyone please advise?
Best Wishes, Steve.Thanks so much for your response Zahoor.
The solution you have provided is more complicated than I had in mind. For example we had not intended using FWSM (we don't have these modules). I just want to use our existing ACEs at each Data Centre to provide the injection of a default route to our internal EIGRP process based on the result of a probe to our Checkpoint FW. What do you think?
Steve. -
No destination URL is defined. Use the followind redirect URL in Transactio
Hi,
I am new BSP, I have to display logon screen in my BSP application, i was copied SYSTEM bsp application and tried to run it, but it is throwing error "No destination URL is defined. Use the followind redirect URL in Transaction SICF: /sap(====)/public/bsp/sap/login/default.htm?sap-url= " . Please let us know what has to be done for the same
Message was edited by:
Rams BSPHi Rams,
see http://help.sap.com/saphelp_47x200/helpdata/en/33/8351f1f3351c41853ea3508cbef0cf/frameset.htm
and
http://help.sap.com/saphelp_47x200/helpdata/en/1d/13c73cee4fb55be10000000a114084/frameset.htm
It sounds like you have not configured the redirect correctly in the ICF.
Cheers
Graham
Maybe you are looking for
-
Ipad stolen, please keep an eye out for the serial number
Hi everyone My ipad got stolen from the office where I work during lunch time today, along with macbook pro and some cash. I would like to list the details of my ipad here in case anyone comes across it in the future. ipad 64Gb wifi + 3G Antiglar scr
-
Program execution date record or log
Hi: We've been requested by Development team, to discover if there is any report or program or log that trace the date and/or time that a program has been executed. I guess that there is not exactly a report like these, but if anyone can give us
-
Choosing a record from a DB to populate a form
This will be my first LiveCycle application. I have an Access 2007 database that contains contact data (first name, last name, etc.). This data will be editable in a PDF of a scanned paper form with databound fields that I've overlaid (that part is a
-
"Mavericks" is freezing my Mac Pro
Updated to Mavericks, now my computer freezes, and sometimes quits all of my open apps. Although it has not restarted on it's own, it seems to behave as if you were to hit restart, while apps are open, and then they all begin to close. Does anyone kn
-
HI All, I am trying to execute a encryption kit by using the batch file which are placed in the R/3 Application server using external OS command(TCode:SM69) in SAP ,but while executing am getting an error like "The system cannot find the path specif