ACE HTTP Header Port Rewrite
What is the syntax for rewriting the destination port for a HTTP request?
For Example: Rewriting "http://www.test123.com" TO "http://www.test123.com:81"
Thanks!
Hi,
The simple solution is to specify port at rserver level to the desired port. In your case it should be like this :
host1/Admin(config-sfarm-host)# rserver SERVER1 81
this is from the documentation which explain the same:
Associating a Real Server with a Server Farm
You can associate one or more real servers with a server farm and enter real-server server-farm configuration mode by using the rserver command in either server farm host or server farm redirect configuration mode. The real server must already exist. For information about configuring a real server, see the "Configuring Real Servers" section. You can configure a maximum of 16,384 real servers in a server farm. The syntax of this command is as follows:
rserver name [port]
The arguments are as follows:
•name—Unique identifier of an existing real server. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.
•port—(Optional) Port number used for the real server port address translation (PAT). Enter an integer from 1 to 65535.
If you choose not to assign a port number for the real server association with the server farm, the default behavior by the ACE is to automatically assign the same destination port that was used by the inbound connection to the outbound server connection. For example, if the incoming connection to the ACE is a secure client HTTPS connection, the connection is typically made on port 443. If you do not assign a port number to the real server, the ACE will automatically use port 443 to connect to the server, which results in the ACE making a clear-text HTTP connection over port 443. In this case, you would typically define an outbound destination port of 80, 81, or 8080 for the backend server connection.
For example, to identify real server SERVER1 and specify port 80 for the outgoing connection, enter:
host1/Admin(config-sfarm-host)# rserver SERVER1 80
host1/Admin(config-sfarm-host-rs)#
Hope that helps.
regards,
Ajay Kumar
Similar Messages
-
hi
is there any chance to change my requeste on ace like this?
the request is http://www.xpto.com and i need to be rewrite to http://xpto.com
thanks in advance
AnteroHi Antero,
Yes, this is possible. Just check the link below for more details
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/slb/guide/classlb.html#wp1151822
Assuming "http://www.xpto.com" is the only request you want to rewrite, the syntax of the action would be "header rewrite request Host header-value www.xpto.com replace xpto.com"
If, however, you need to create this action in a more generic way so that any URL is rewritten in the same format, you would need to use a regular expression. In this case, it would be something similar to the following (I didn't test it, so I'm not 100% sure that the regex is correct) "header rewrite request Host header-value www\.(.*)\.com replace %1.com"
I hope this helps
Daniel -
Hi,
I have for example a site http://abc.com which response back with the port on which it's being used on the server ex: http://abc.com:9081
How would I rewrite the response remove the port on the server that is being used.
Thank you,Hi,
You have rewrite the 30x redirect response from server or is it a normal response?
You can try below:
(config)# action-list type modify http H
(config-actlist-modify)# header rewrite response Location header-value http://abc.com:9008 replace http://abc.com
I am using header name as Location. Please use according to your need.
I haven't tried this myself but it should work. Try and let me know.
Regards,
Kanwal -
Guys,
I need to setup ACE to do the below:
The client will call a url: https://server1.com.br
- Ace will terminate this ssl with a certificate of my internal ca imported to ACE;
Then, I need ACE to rewrite the url to https://host01.com.br/appl using a certificate generated by the Application Server and also imported to ACE.
It's possible?So, you have client authentication cofigured on your real server ? (I mean , very often HTTPS only uses certificate on server side)
If yes - no problem you can configure such type of SSL initiation too, however we can rewrite http header but we can't change URL (and https://server1.com.br to https://host01.com.br/app are URLs)
Example of HTTP header and some small explanations :
http://www.http.header.free.fr/http.html
And in that example you can change only these parts :
>> Host: www.http.header.free.fr
>> Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
>> Accept-Language: Fr
>> Accept-Encoding: gzip, deflate
>> User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 4.0)
>> Connection: Keep-Alive
You can't change these :
URL : "http://www.http.header.free.fr/http.html". Your browser connects to www.http.header.free.fr and sends :
>> GET /http.html Http1.1 -
ACE http/https redirect or rewrite
Greetings,
We have a setup that requires ACE http/https redirection or rewrite.
A client connects to a secured Web portal which has its ssl termination on the ACE.
The web portal will request from the client a redirection to another application. As the portal is unaware that the incoming client https request was terminated on the ACE,
the client receives the redirect request for an unsecured http URL rather than for the secured https URL.
In this case what would be best to use? ACE "rewrite" or "redirect"?
Will the following example config for ACE "redirect" be sufficent to implement this?
ssl-proxy service ssl-App-443-81
key app1.test.com.key
cert app1.test.com.cert
rserver redirect App-secure-redirect
webhost-redirection https://app1.test.com/Go/
inservice
serverfarm redirect App-secure-redirect-sf
rserver App-secure-redirect
inservice
serverfarm host App-81-sf
probe TCP81
rserver proxy1 81
inservice
rserver proxy2 81
inservice
parameter-map type http http_param_map
header modify per-request
sticky http-cookie App-cookie App-sticky
cookie insert
replicate sticky
serverfarm App-81-sf
class-map match-any App-443-81-cm
2 match virtual-address 10.10.10.112 tcp eq https
class-map match-any App-81-cm
2 match virtual-address 10.10.10.112 tcp eq 81
class-map type http loadbalance App-secure-redirect-cm
match http url http://app1.test.com:81/Go/
policy-map type loadbalance http first-match App-rewrite-pm
class App-secure-redirect-cm
serverfarm App-secure-redirect-sf
policy-map type loadbalance http first-match App-sticky-443-81-pm
class class-default
sticky-serverfarm App-sticky
policy-map multi-match policy-inbound
class App-81-cm
loadbalance vip inservice
loadbalance policy App-rewrite-pm
loadbalance vip icmp-reply active
loadbalance vip advertise active
class App-443-81-cm
loadbalance vip inservice
loadbalance policy App-sticky-443-81-pm
loadbalance vip icmp-reply active
loadbalance vip advertise active
appl-parameter http advanced-options http_param_map
ssl-proxy server ssl-App-443-81If you are offloading www.yoursite.com on ACE and on the backend
real servers are not ssl aware (sends URL with http://) then with
following sample config you can instruct ACE to rewrite such urls (http->https)
class-map match-all VIP-443
match virtual-address x.x.x.x tcp eq https
action-list type modify http HTTP2HTTPS-REWRITE
ssl url rewrite location www\.yoursite\.* sslport 443 clearport 80
policy-map type loadbalance first-match YOUR-POLICY
class class-default
serverfarm YOUR-SFARM
action HTTP2HTTPS-REWRITE
class VIP-443
loadbalance vip inservice
loadbalance policy YOUR-POLICY
loadbalance vip icmp-reply active
ssl-proxy server YOUR-SSL-SERVICE
You need Ace2.x+ on Ace module & 3.x+ on 4710 appliance for this feature.
Syed Iftekhar Ahmed -
ACE: wrong IP in HTTP header HEALTHCHECK packet
Hi,
I encounter a strange problem with ACE when the blade performs a HTTP healthcheck towards a RSERVER.
Sometimes, ACE insert in the HTTP header a strange IP address, others then the IP address of the rserver, for which it performs a healthcheck.
Anyone encountered the same problem?
Thx, WimHi Gillis,
I reported this issue to our integrator. I think they will open a cisco case right now.
We are able to reproduce this problem. So, that might not be the problem to troubleshoot at this moment.
For your information, we had version A1.6 running until last week. Now, we upgraded to A2, but the healthcheck issue is still present.
I assume you 'll informed via the support case? -
Adding port in http header information??
I have a standard HTTPS to HTTP conversion going through a CSS 11506. The CSS terminates the SSL and then passes the cleartext traffic to the backend server via port 8011. The backend server receives this traffic on port 8011 but the http header does not specify port 8011 at the end of the url (e.g. http://mywebsite.com:8011/content but only passes through http://mysebsite.com/content). The backend server thinks this traffic has come in on port 80 and reports a 302 error (redirect). Is there some way the CSS can add the :8011 port number into the http header for all traffic bound to the backend server?
Many thanks,
FrankNo, there is no way to add the port to the host info.
You can run 2 different instances of the server - each one on its own port - so they don't need to verify the port inside the http request.
Gilles. -
Load Balancing with ACE using HTTP Header information
Hello,
I am trying to setup a class-map using http loadbalance match-all.
What I want to do is check for the HTTP Host and if it doesnot match the http referer than go to server farm A. if it does match then go to server farm B.
My problem is the host can be serveral different values as well as the referer. Can you setup varibales in the ACE so I can store the value from http host and compare it against http referer?
Thanks
Mike C.It should be like this (If you want to use separate class maps for referrer & Host).
class-map type http loadbalance match-any site1-HostHDR
2 match http header Host header-value ".*site1.com"
class-map type http loadbalance match-any site1-Referer
2 match http header Referer header-value "http://site1.*"
class-map type http loadbalance match-any site2-HostHDR
2 match http header Host header-value ".*site2.com"
class-map type http loadbalance match-any site2-Referer
2 match http header Referer header-value "http://site2.*"
class-map type http loadbalance match-all Site1-policy
2 match class-map site1-HostHDR
3 match class-map site1-Referer
class-map type http loadbalance match-all Site2-policy
2 match class-map site2-HostHDR
3 match class-map site2-Referer
policy-map type loadbalance http first-match Site1
class Site1-policy
serverfarm SFarm-A
class Site2-policy
serverfarm SFarm-A
class class-default
serverfarm SFARm-B
Syed Iftekhar Ahmed -
ACE One-Arm Source-NAT HTTP Header Insert
Hellow ACE Gurus,
This is probably a dumb question but I'm looking for info on HTTP Header Insert for SSL sessions. Does the HTTP header re-write action list work for SSL traffic? I guess I'm not clear on whether or not the header is encrypted and if the ACE can modify on an HTTPS session. Any input would be greatly appreciated.
/r
RobHi Rob,
When using HTTPS, all the data is encrypted, including the HTTP headers.
In such a situation, if you want to insert headers (or do any other kind of L7 processing), you will have to configure the ACE to do SSL termination. Once the connection is decrypted, the ACE can do any processing it needs before sending the connection towards the server either in clear text or again using HTTPS.
I would recommend you to have a look at the link below. This is an example of how to configure an ACE for end-to-end SSL (so, HTTPS on both sides of the ACE). In the example, the only L7 processing that is being done is matching on the URL, but it would be enough to replace that part with whatever header insertion commands you need
http://www.cisco.com/en/US/partner/products/hw/modules/ps2706/products_configuration_example09186a00809c6f37.shtml
If you still need more help to understand any of the points involved in the process, please, do not hesitate to contact me again.
Regards
Daniel -
Load Balance Reverse Poxy using ACE and HTTP Header Sticky
Dear all,
I have a reverse proxy that makes HTTP and HTTPS requests to an ACE.
For implement persistence I want to configure HTTP HEADER Stickyness using the X-Forwarder-For information but I don't know:
How to implement it ( I'l apreciate a little example about it).
Which values I need for OFFSET and LENGHT fields.
Can you help me please?
Thanks a lot!!Hi Cesar.
Thanks a lot for your answer but I think you misunderstand the question or I'm not explaninig very well
I don't need to insert anything.
The serverfarm X will be accesed by a reverse proxy. This reverse proxy already inserts the X-Forearder-From header, so the request from the reverse proxy comes with this header to the serverfarm X.
The problem is that now, the serverfarm X sticky the client based on source IP. This is a wrong behavior becasue all the request comes form the same source (Reverse proxy) and all the load forwards to the same real IP address.
This is because I want to change the sticky from source IP to HTTP header and looks for the X-Forwarder-For filed.
Hop it will clarify the question! -
HTTP header insertion problem with ACE
Hi
I try to configure the HTTP header insertion feature based on the action-list type modify http. Unfortunately it does not works.
The config looks like that
action-list type modify http TEST
header insert both Host header-value test:test.
I added this action-list to the correct policy-map.
When I checked the snifer output on the server side, there is no test value in the HTTP header.
I test the same feature based on the "insert-http" command in the policy-map and this one works.
Could anybody help me with this problem?
Thank you in advance
Regards
LucasHi Lukas,
Add a new parameter-map named PRMAP_PERST_REBLNC and add this to the policy map using command appl-parameter http advanced-options PRMAP_PERST_REBLNC as shown below:
action-list type modify http test-insert
header insert both My-Header header-value test
header insert both SSL header-value TRUE
policy-map type loadbalance http first-match HtppInsert
class class-default
serverfarm linux1-80
action test-insert
policy-map multi-match SLB1
class VIP-122-80
loadbalance vip inservice
loadbalance policy HtppInsert
loadbalance vip icmp-reply active
loadbalance vip advertise active
loadbalance vip advertise metric 1
connection advanced-options SetTos
appl-parameter http advanced-options PRMAP_PERST_REBLNC
parameter-map type http PRMAP_PERST_REBLNC
persistence-rebalance
Hope this will make all the packets are inserted with the http header not the first one only.
If it works then plz inform.
Kind Regards.
Sachin Garg -
Interesting ACE URL Header & Load-balance & SSL on 2 VIPs
Hi There
I have an interesting situation that I am trying to solve. I have 4 websites, each one with SSL Off-Loading on the ACE on the outside. All FOUR websites run on a single server on the inside, but each website is using a different port number for differentiation. Also, they are currently only available on TWO IPs on the outside! I know.....it's a mare!
So, RSERVER = SERVER = 192.168.0.1
Each website has SSL Certs on the outside. https://website1.abc.com - https://website4.abc.com
But, DNS is only bound to 2 IPs on the outside, as that is all we have available currently, until we free up more IPs.
OUTSIDE:
website1.abc.com = 172.16.0.1:443
website2.abc.com = 172.16.0.1:443
website3.abc.com = 172.16.0.2:443
website4.abc.com = 172.16.0.2:443
On the server we have:
INSIDE: 192.168.0.1
SERVER:8001 = website1.abc.com
SERVER:8002 = website2.abc.com
SERVER:8003 = website3.abc.com
SERVER:8004 = website4.abc.com
So, in a nutshell what I need to do is:
Terminate SSL for each website, then match the HTTP header, and pass it to the SERVER on the right port. Sounds easy enough.
But, I am struggling like hell. The VIPs (Wirtual IPs on the OUTSIDE are causing me grief) My steps seem to be breaking my ruleset. Individually they all work, but once I tie them to the VIPs on the outside, it seems to stop. The first site in each CM (class-map) match in the PM (Profile-Map) works but the subsequent site just breaks.
I would post my config, but right now I have sooooooooooooo many variations, it looks like a dog's breakfast.
Can anyone give advice on the process flow to follow to get this to work. My issue is arround the VIPs mainly. To be honest, I don't really care about Load-Balancing right now. That will come later when more servers are added to mix. And then we might have to do inbound NAT too to the Server Farm, but that can wait! :-o
I have created a HEADER map for the headers, individual SERVER FARMS for each port on the RSERVER, ACLs matching the VIPs inbound on 443, CLASS-MAPs matching the HEADER and applying to SFARM, POLICY MAPS matching the CMAPs and doing Load-Balancing with SSL-PROXYs for the SSL headers. SERVICE-POLICY tieing it all together on Interface.
But .... things are going hey-wire.
So, steps are:
RSERVER
SFARMs = RSERVER:PORTs
ACLs = VIPs
CMAP = HEADER = URL
LB PMAP = HEADER CMAP & SFARM
PMAP MULITM = ACL CMAP + LB PMAP & SSL-Proxy
SVC-POL = PMAP MULTIMHi Surya
Thanks for the prompt reply. I'm not quite sure what you mean when you say it ca only handle 2 certs. Can you elaborate please?
It would appear to me that you can actually only bind one cert to an IP, based on using a VIP address for the server farm as per the CM in the PM. I can hack out the irrelevant bits tomorrow and post what I have done thus far. I have played with multiple lines of code and various ways of trying to do this, but the end result is that it appears once I have the CM set per VIP I can only set one SSL-Proxy, and so only one cert. If I use multiple CMs, as per the MultiMatch policy, it matches the first CM against the VIP and doesn't appear to move on as per the HTTP Header. If any of that makes sense?
regards
Sent from Cisco Technical Support iPad App -
ACE HTTP Probe with regex
Hi,
I'm trying to setup a HTTP probe with expected string rather then a code (config below). I do a GET for the page then a search for a string in the response however it's not working, as probe appears as failed.
I've tested the connection to the server by using telneting and then looking at the page displayed to make sure the string I want to match is in the response.
probe http HTTP-PROBE
port 43050
interval 30
passdetect interval 30
passdetect count 1
request method get url /action=help
open 43050
expect regex action=help
Q. Is there anything wrong with this configuration and what I'm trying to achive?
Thanks,
PriteshUse "expect status" under probe config. expect regex doesnt work if expect status is not configured.
expect regex work flawlessly with static pages. It doesnt work all the time with dynamic pages.
Specially if "content-length" header is missing from Server response.
Hope it helps
Syed Iftekhar Ahmed -
Hi,
We would like to see the hash value calculated by the ACE when the HTTP probe hash command configured.
This is possible on CSS via the "sh service" command. We have tried to get it from sh rserver , sh probe XXX detail sh serverfarm XXX det but we do not get it.
Is this possible to get it on the ACE as we do on the CSS?
We need this to manually configure it via the hash <value> command because if the ACE probe is reseted for any reason, the probe http hash will be re-calculated based on the first http response of the server and we can not predict that the server will give the expected web page at this time.
A // question is: on what the md5 value is calculated? HTTP header + payload or only http object payload? We have calculated the md5 hash value by ourselves but the probe is still failing whatever the http portion used for the calculation is.
Many thanks for your help.
Regards/ludovic.probe http MD5-HTTP
interval 15
passdetect interval 15
request method get url /index.html
expect status 200 200
hash 2441DA7F68A265F8CFB4426B6897CE33
And here is how I computed the hash on the server itself [linux machine]
md5sum /var/www/HTML/index.html
2441da7f68a265f8cfb4426b6897ce33 /var/www/HTML/index.html
[root@linux-1 tftpboot]#
The probe is UP
switch/Admin# sho probe MD5-HTTP detail
probe : MD5-HTTP
type : HTTP
state : ACTIVE
description :
port : 80 address : 0.0.0.0 addr type : -
interval : 15 pass intvl : 15 pass count : 3
fail count: 3 recv timeout: 10
http method : GET
http url : /index.html
Hash-value : 2441da7f68a265f8cfb4426b6897ce33
conn termination : GRACEFUL
expect offset : 0 , open timeout : 10
expect regex : -
send data : -
--------------------- probe results --------------------
probe association probed-address probes failed passed health
------------------- ---------------+----------+----------+----------+-------
serverfarm : linux1
real : linux1[0]
192.168.30.27 13 4 9 SUCCESS
md5sum is a standard tool.
Nothing fancy about it.
Gilles. -
ACE module SSL url rewrite and path rewrite
Hi all,
I'm hoping some of you helpful people on this forum can guide me or suggest a solution to a problem I'm faced with.
I am currently load balancing exchange 2010 traffic via an ACE module. Software version is A2(3.3). I have most parts of it working fine however I am having an issue when it comes to SSL termination for Outlook Web Access (OWA).
The problem comes down to a HTTP header (field is location). I have configured an action list to re-write the SSL pure URL as per page 96 of the "Cisco Application Control Engine Module SSL Configuration Guide". example:
ssl url rewrite location bnecas\.mycompany\.com sslport 443
That part works, the http header location field that comes back from the GET request is changed to https://cas.mycompany.com which is great. However, in addition to that url, there is also a path or something following that part. The actual string that is returned is:
https://cas.mycompany.com/owa/auth/logon.aspx?url=http://cas.mycompany.com/owa/&reason=0
The first bit of it, (https://cas.mycompany.com) is changed by the ssl url rewrite command, however the last part (http://cas.mycompany.com/owa/&reason=0) isn't changed.
This is where I've been trying to get the http Header Rewrite command to do something. I don't know if it can work in conjunction with the ssl url rewrite function however with the ssl rewrite function it seems it can't change bits of the string that aren't the pure URL at the front.
The end result is that while I have an SSL connection to the OWA login page, when I do login to OWA it reverts back to HTTP. I'm fairly sure it is because of the last part of the location string above. Is there a way to change that location string to do the following:
1. change the first part of the string to be https://cas.mycompany.com (like the ssl url rewrite function)
2. change the last part of the location string to put https in there instead of http
Ideally I would love to have this string
http://cas.mycompany.com/owa/auth/logon.aspx?url=http://cas.mycompany.com/owa/&reason=0
replaced with this one
https://cas.mycompany.com/owa/auth/logon.aspx?url=https://cas.mycompany.com/owa/&reason=0
I had originally tried the following in the action list:
header rewrite response location header-value "(owa/auth/logon\.aspx\?url=)http(://bnecas\.thiess\.aus/owa/&reason=0)" replace "%1https%2"
ssl url rewrite location bnecas\.mycompany\.com sslport 443
but it didn't work. I'm probably screwing up the regex somewhere however there doesn't seem to be very clear examples anywhere I can find.
Any help will be greatly appreciated and of course I will be sure to rate every post that responds to my plea for help.
BradHi Brad,
try this:
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
action-list type modify http X
header rewrite response Location header-value "http://(.*url=)http://(.*)" replace "https://%1https://%2"
we wont be using ssl url rewrite in this case
Also we will be needing persistence rebalance applied through application parameter map and apply that under the VIP class
Maybe you are looking for
-
ITunes will no longer rip or burn CDs
When I start iTunes it says "iTunes was not properly installed. If you wish to import or burn CDs, you need to reinstall iTunes." When I try and reinstall, it says that I have a newer version and it can not complete the install. I have been burning a
-
Variance between Material Ledger and General Ledger of
There is again a variance between Material Ledger and General Ledger of 7.026,64 (Tcode MB5L) as it was already in $$100036500(G/L). The strange thing is, that there is only a difference in the GL Account Balance report (FS10N) for S240077000(G/L ).
-
Hi All, I have a question regarding use of PNP database. in the PNP selection screen entered values date - 01.02.2008 - 31.12.1999 cost center - X. Personal Area - Q in the database p0001 for pernr P1 there are two records for cost center history
-
Hello i am very mad! please help
soooo i just got a ipod shuffle 4g for christmas but only like one tiny problem when i want to sync my library to my ipod 1 song takes about 1 hour why is it so slow and when i plugged it out and back in it said that it couldnt find it and something
-
Quick question about 10.5.
I just finished updated my os to 10.5.1 and I upgraded from Tiger and archived the old system folder, when I installed L. Question: Can I trash the old system folder now? Do I need it for anything? It is taking up drive space. Thanks in advance for a