ACE HTTP Header Port Rewrite

Similar Messages

• ACE http header rewrite

  hi
  is there any chance to change my requeste on ace like this?
  the request is http://www.xpto.com and i need to be rewrite to http://xpto.com
  thanks in advance
  Antero

  Hi Antero,
  Yes, this is possible. Just check the link below for more details
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/slb/guide/classlb.html#wp1151822
  Assuming "http://www.xpto.com" is the only request you want to rewrite, the syntax of the action would be "header rewrite request Host header-value www.xpto.com replace xpto.com"
  If, however, you need to create this action in a more generic way so that any URL is rewritten in the same format, you would need to use a regular expression. In this case, it would be something similar to the following (I didn't test it, so I'm not 100% sure that the regex is correct) "header rewrite request Host header-value www\.(.*)\.com replace %1.com"
  I hope this helps
  Daniel

• ACE http header response

  Hi,
  I have for example a site http://abc.com which response back with the port on which it's being used on the server ex: http://abc.com:9081
  How would I rewrite the response remove the port on the server that is being used.
  Thank you,

  Hi,
  You have rewrite the 30x redirect response from server or is it a normal response?
  You can try below:
  (config)# action-list type modify http H
  (config-actlist-modify)# header rewrite response Location header-value http://abc.com:9008  replace http://abc.com
  I am using header name as Location. Please use according to your need.
  I haven't tried this myself but it should work. Try and let me know.
  Regards,
  Kanwal

• Https header rewrite

  Guys,
  I need to setup ACE to do the below:
  The client will call a url: https://server1.com.br
     - Ace will terminate this ssl with a certificate of my internal ca imported to ACE;
  Then, I need ACE to rewrite the url to https://host01.com.br/appl using a certificate generated by the Application Server and also imported to ACE.
  It's possible?

  So, you have client authentication cofigured on your real server ? (I mean , very often HTTPS  only uses certificate on server side)
  If yes - no problem you can configure  such type of SSL initiation too, however we can rewrite http header but we can't change URL (and https://server1.com.br to https://host01.com.br/app are URLs)
  Example of HTTP header and some small explanations :
  http://www.http.header.free.fr/http.html
  And in that example you can change only these parts :
  >> Host: www.http.header.free.fr
  >> Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
  >> Accept-Language: Fr
  >> Accept-Encoding: gzip, deflate
  >> User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 4.0)
  >> Connection: Keep-Alive
  You can't change these :
  URL : "http://www.http.header.free.fr/http.html". Your browser connects to www.http.header.free.fr and sends :
  >> GET /http.html Http1.1

• ACE http/https redirect or rewrite

  Greetings,
  We have a setup that requires ACE http/https redirection or rewrite.
  A client connects to a secured Web portal which has its ssl termination on the ACE.
  The web portal will request from the client a redirection to another application. As the portal is unaware that the incoming client https request was terminated on the ACE,
  the client receives the redirect request for an unsecured http URL rather than for the secured https URL.
  In this case what would be best to use? ACE "rewrite" or "redirect"?
  Will the following example config for ACE "redirect" be sufficent to implement this?
  ssl-proxy service ssl-App-443-81
  key app1.test.com.key
  cert app1.test.com.cert
  rserver redirect App-secure-redirect
  webhost-redirection https://app1.test.com/Go/
  inservice
  serverfarm redirect App-secure-redirect-sf
  rserver App-secure-redirect
  inservice
  serverfarm host App-81-sf
  probe TCP81
  rserver proxy1 81
  inservice
  rserver proxy2 81
  inservice
  parameter-map type http http_param_map
  header modify per-request
  sticky http-cookie App-cookie App-sticky
  cookie insert
  replicate sticky
  serverfarm App-81-sf
  class-map match-any App-443-81-cm
  2 match virtual-address 10.10.10.112 tcp eq https
  class-map match-any App-81-cm
  2 match virtual-address 10.10.10.112 tcp eq 81
  class-map type http loadbalance App-secure-redirect-cm
  match http url http://app1.test.com:81/Go/
  policy-map type loadbalance http first-match App-rewrite-pm
  class App-secure-redirect-cm
  serverfarm App-secure-redirect-sf
  policy-map type loadbalance http first-match App-sticky-443-81-pm
  class class-default
  sticky-serverfarm App-sticky
  policy-map multi-match policy-inbound
  class App-81-cm
  loadbalance vip inservice
  loadbalance policy App-rewrite-pm
  loadbalance vip icmp-reply active
  loadbalance vip advertise active
  class App-443-81-cm
  loadbalance vip inservice
  loadbalance policy App-sticky-443-81-pm
  loadbalance vip icmp-reply active
  loadbalance vip advertise active
  appl-parameter http advanced-options http_param_map
  ssl-proxy server ssl-App-443-81

  If you are offloading www.yoursite.com on ACE and on the backend
  real servers are not ssl aware (sends URL with http://) then with
  following sample config you can instruct ACE to rewrite such urls (http->https)
  class-map match-all VIP-443
  match virtual-address x.x.x.x tcp eq https
  action-list type modify http HTTP2HTTPS-REWRITE
  ssl url rewrite location www\.yoursite\.* sslport 443 clearport 80
  policy-map type loadbalance first-match YOUR-POLICY
  class class-default
  serverfarm YOUR-SFARM
  action HTTP2HTTPS-REWRITE
  class VIP-443
  loadbalance vip inservice
  loadbalance policy YOUR-POLICY
  loadbalance vip icmp-reply active
  ssl-proxy server YOUR-SSL-SERVICE
  You need Ace2.x+ on Ace module & 3.x+ on 4710 appliance for this feature.
  Syed Iftekhar Ahmed

• ACE: wrong IP in HTTP header HEALTHCHECK packet

  Hi,
  I encounter a strange problem with ACE when the blade performs a HTTP healthcheck towards a RSERVER.
  Sometimes, ACE insert in the HTTP header a strange IP address, others then the IP address of the rserver, for which it performs a healthcheck.
  Anyone encountered the same problem?
  Thx, Wim

  Hi Gillis,
  I reported this issue to our integrator. I think they will open a cisco case right now.
  We are able to reproduce this problem. So, that might not be the problem to troubleshoot at this moment.
  For your information, we had version A1.6 running until last week. Now, we upgraded to A2, but the healthcheck issue is still present.
  I assume you 'll informed via the support case?

• Adding port in http header information??

  I have a standard HTTPS to HTTP conversion going through a CSS 11506. The CSS terminates the SSL and then passes the cleartext traffic to the backend server via port 8011. The backend server receives this traffic on port 8011 but the http header does not specify port 8011 at the end of the url (e.g. http://mywebsite.com:8011/content but only passes through http://mysebsite.com/content). The backend server thinks this traffic has come in on port 80 and reports a 302 error (redirect). Is there some way the CSS can add the :8011 port number into the http header for all traffic bound to the backend server?
  Many thanks,
  Frank

  No, there is no way to add the port to the host info.
  You can run 2 different instances of the server - each one on its own port - so they don't need to verify the port inside the http request.
  Gilles.

• Load Balancing with ACE using HTTP Header information

  Hello,
  I am trying to setup a class-map using http loadbalance match-all.
  What I want to do is check for the HTTP Host and if it doesnot match the http referer than go to server farm A. if it does match then go to server farm B.
  My problem is the host can be serveral different values as well as the referer. Can you setup varibales in the ACE so I can store the value from http host and compare it against http referer?
  Thanks
  Mike C.

  It should be like this (If you want to use separate class maps for referrer & Host).
  class-map type http loadbalance match-any site1-HostHDR
  2 match http header Host header-value ".*site1.com"
  class-map type http loadbalance match-any site1-Referer
  2 match http header Referer header-value "http://site1.*"
  class-map type http loadbalance match-any site2-HostHDR
  2 match http header Host header-value ".*site2.com"
  class-map type http loadbalance match-any site2-Referer
  2 match http header Referer header-value "http://site2.*"
  class-map type http loadbalance match-all Site1-policy
  2 match class-map site1-HostHDR
  3 match class-map site1-Referer
  class-map type http loadbalance match-all Site2-policy
  2 match class-map site2-HostHDR
  3 match class-map site2-Referer
  policy-map type loadbalance http first-match Site1
  class Site1-policy
  serverfarm SFarm-A
  class Site2-policy
  serverfarm SFarm-A
  class class-default
  serverfarm SFARm-B
  Syed Iftekhar Ahmed

• ACE One-Arm Source-NAT HTTP Header Insert

  Hellow ACE Gurus,
  This is probably a dumb question but I'm looking for info on HTTP Header Insert for SSL sessions.  Does the HTTP header re-write action list work for SSL traffic?  I guess I'm not clear on whether or not the header is encrypted and if the ACE can modify on an HTTPS session.  Any input would be greatly appreciated.
  /r
  Rob

  Hi Rob,
  When using HTTPS, all the data is encrypted, including the HTTP headers.
  In such a situation, if you want to insert headers (or do any other kind of L7 processing), you will have to configure the ACE to do SSL termination. Once the connection is decrypted, the ACE can do any processing it needs before sending the connection towards the server either in clear text or again using HTTPS.
  I would recommend you to have a look at the link below. This is an example of how to configure an ACE for end-to-end SSL (so, HTTPS on both sides of the ACE). In the example, the only L7 processing that is being done is matching on the URL, but it would be enough to replace that part with whatever header insertion commands you need
  http://www.cisco.com/en/US/partner/products/hw/modules/ps2706/products_configuration_example09186a00809c6f37.shtml
  If you still need more help to understand any of the points involved in the process, please, do not hesitate to contact me again.
  Regards
  Daniel

• Load Balance Reverse Poxy using ACE and HTTP Header Sticky

  Dear all,
  I have a reverse proxy that makes HTTP and HTTPS requests to an ACE.
  For implement persistence I want to configure HTTP HEADER Stickyness using the X-Forwarder-For information but I don't know:
  How to implement it ( I'l apreciate a little example about it).
  Which values I need for OFFSET and LENGHT fields.
  Can you help me please?
  Thanks a lot!!

  Hi Cesar.
  Thanks a lot for your answer but I think you misunderstand the question or I'm not explaninig very well
  I don't need to insert anything.
  The serverfarm X will be accesed by a reverse proxy. This reverse proxy already inserts the X-Forearder-From header, so the request from the reverse proxy comes with this header to the serverfarm X.
  The problem is that now, the serverfarm X sticky the client based on source IP. This is a wrong behavior becasue all the request comes form the same source (Reverse proxy) and all the load forwards to the same real IP address.
  This is because I want to change the sticky from source IP to HTTP header and looks for the X-Forwarder-For filed.
  Hop it will clarify the question!

• HTTP header insertion problem with ACE

  Hi
  I try to configure the HTTP header insertion feature based on the action-list type modify http. Unfortunately it does not works.
  The config looks like that
  action-list type modify http TEST
  header insert both Host header-value test:test.
  I added this action-list to the correct policy-map.
  When I checked the snifer output on the server side, there is no test value in the HTTP header.
  I test the same feature based on the "insert-http" command in the policy-map and this one works.
  Could anybody help me with this problem?
  Thank you in advance
  Regards
  Lucas

  Hi Lukas,
  Add a new parameter-map named PRMAP_PERST_REBLNC and add this to the policy map using command appl-parameter http advanced-options PRMAP_PERST_REBLNC as shown below:
  action-list type modify http test-insert
  header insert both My-Header header-value test
  header insert both SSL header-value TRUE
  policy-map type loadbalance http first-match HtppInsert
  class class-default
  serverfarm linux1-80
  action test-insert
  policy-map multi-match SLB1
  class VIP-122-80
  loadbalance vip inservice
  loadbalance policy HtppInsert
  loadbalance vip icmp-reply active
  loadbalance vip advertise active
  loadbalance vip advertise metric 1
  connection advanced-options SetTos
  appl-parameter http advanced-options PRMAP_PERST_REBLNC
  parameter-map type http PRMAP_PERST_REBLNC
  persistence-rebalance
  Hope this will make all the packets are inserted with the http header not the first one only.
  If it works then plz inform.
  Kind Regards.
  Sachin Garg

• Interesting ACE URL Header & Load-balance & SSL on 2 VIPs

  Hi There
  I have an interesting situation that I am trying to solve. I have 4 websites, each one with SSL Off-Loading on the ACE on the outside. All FOUR websites run on a single server on the inside, but each website is using a different port number for differentiation. Also, they are currently only available on TWO IPs on the outside! I know.....it's a mare!
  So, RSERVER = SERVER = 192.168.0.1
  Each website has SSL Certs on the outside. https://website1.abc.com - https://website4.abc.com
  But, DNS is only bound to 2 IPs on the outside, as that is all we have available currently, until we free up more IPs.
  OUTSIDE:
  website1.abc.com = 172.16.0.1:443
  website2.abc.com = 172.16.0.1:443
  website3.abc.com = 172.16.0.2:443
  website4.abc.com = 172.16.0.2:443
  On the server we have:
  INSIDE: 192.168.0.1
  SERVER:8001 = website1.abc.com
  SERVER:8002 = website2.abc.com
  SERVER:8003 = website3.abc.com
  SERVER:8004 = website4.abc.com
  So, in a nutshell what I need to do is:
  Terminate SSL for each website, then match the HTTP header, and pass it to the SERVER on the right port. Sounds easy enough.
  But, I am struggling like hell. The VIPs (Wirtual IPs on the OUTSIDE are causing me grief) My steps seem to be breaking my ruleset. Individually they all work, but once I tie them to the VIPs on the outside, it seems to stop. The first site in each CM (class-map) match in the PM (Profile-Map) works but the subsequent site just breaks.
  I would post my config, but right now I have sooooooooooooo many variations, it looks like a dog's breakfast.
  Can anyone give advice on the process flow to follow to get this to work. My issue is arround the VIPs mainly. To be honest, I don't really care about Load-Balancing right now. That will come later when more servers are added to mix. And then we might have to do inbound NAT too to the Server Farm, but that can wait! :-o
  I have created a HEADER map for the headers, individual SERVER FARMS for each port on the RSERVER, ACLs matching the VIPs inbound on 443, CLASS-MAPs matching the HEADER and applying to SFARM, POLICY MAPS matching the CMAPs and doing Load-Balancing with SSL-PROXYs for the SSL headers. SERVICE-POLICY tieing it all together on Interface.
  But .... things are going hey-wire.
  So, steps are:
  RSERVER
  SFARMs = RSERVER:PORTs
  ACLs = VIPs
  CMAP = HEADER = URL
  LB PMAP = HEADER CMAP & SFARM
  PMAP MULITM = ACL CMAP + LB PMAP & SSL-Proxy
  SVC-POL = PMAP MULTIM

  Hi Surya
  Thanks for the prompt reply. I'm not quite sure what you mean when you say it ca only handle 2 certs. Can you elaborate please?
  It would appear to me that you can actually only bind one cert to an IP, based on using a VIP address for the server farm as per the CM in the PM. I can hack out the irrelevant bits tomorrow and post what I have done thus far. I have played with multiple lines of code and various ways of trying to do this, but the end result is that it appears once I have the CM set per VIP I can only set one SSL-Proxy, and so only one cert. If I use multiple CMs, as per the MultiMatch policy, it matches the first CM against the VIP and doesn't appear to move on as per the HTTP Header. If any of that makes sense?
  regards
  Sent from Cisco Technical Support iPad App

• ACE HTTP Probe with regex

  ACE HTTP Probe with regex
  Hi,
  I'm trying to setup a HTTP probe with expected string rather then a code (config below). I do a GET for the page then a search for a string in the response however it's not working, as probe appears as failed.
  I've tested the connection to the server by using telneting and then looking at the page displayed to make sure the string I want to match is in the response.
  probe http HTTP-PROBE
  port 43050
  interval 30
  passdetect interval 30
  passdetect count 1
  request method get url /action=help
  open 43050
  expect regex action=help
  Q. Is there anything wrong with this configuration and what I'm trying to achive?
  Thanks,
  Pritesh

  Use "expect status" under probe config. expect regex doesnt work if expect status is not configured.
  expect regex work flawlessly with static pages. It doesnt work all the time with dynamic pages.
  Specially if "content-length" header is missing from Server response.
  Hope it helps
  Syed Iftekhar Ahmed

• ACE HTTP probe hash md5 value

  Hi,
  We would like to see the hash value calculated by the ACE when the HTTP probe hash command configured.
  This is possible on CSS via the "sh service" command. We have tried to get it from sh rserver , sh probe XXX detail sh serverfarm XXX det but we do not get it.
  Is this possible to get it on the ACE as we do on the CSS?
  We need this to manually configure it via the hash <value> command because if the ACE probe is reseted for any reason, the probe http hash will be re-calculated based on the first http response of the server and we can not predict that the server will give the expected web page at this time.
  A // question is: on what the md5 value is calculated? HTTP header + payload or only http object payload? We have calculated the md5 hash value by ourselves but the probe is still failing whatever the http portion used for the calculation is.
  Many thanks for your help.
  Regards/ludovic.

  probe http MD5-HTTP
  interval 15
  passdetect interval 15
  request method get url /index.html
  expect status 200 200
  hash 2441DA7F68A265F8CFB4426B6897CE33
  And here is how I computed the hash on the server itself [linux machine]
  md5sum /var/www/HTML/index.html
  2441da7f68a265f8cfb4426b6897ce33 /var/www/HTML/index.html
  [root@linux-1 tftpboot]#
  The probe is UP
  switch/Admin# sho probe MD5-HTTP detail
  probe : MD5-HTTP
  type : HTTP
  state : ACTIVE
  description :
  port : 80 address : 0.0.0.0 addr type : -
  interval : 15 pass intvl : 15 pass count : 3
  fail count: 3 recv timeout: 10
  http method : GET
  http url : /index.html
  Hash-value : 2441da7f68a265f8cfb4426b6897ce33
  conn termination : GRACEFUL
  expect offset : 0 , open timeout : 10
  expect regex : -
  send data : -
  --------------------- probe results --------------------
  probe association probed-address probes failed passed health
  ------------------- ---------------+----------+----------+----------+-------
  serverfarm : linux1
  real : linux1[0]
  192.168.30.27 13 4 9 SUCCESS
  md5sum is a standard tool.
  Nothing fancy about it.
  Gilles.

• ACE module SSL url rewrite and path rewrite

  Hi all,
  I'm hoping some of you helpful people on this forum can guide me or suggest a solution to a problem I'm faced with.
  I am currently load balancing exchange 2010 traffic via an ACE module.  Software version is A2(3.3).  I have most parts of it working fine however I am having an issue when it comes to SSL termination for Outlook Web Access (OWA).
  The problem comes down to a HTTP header (field is location).  I have configured an action list to re-write the SSL pure URL as per page 96 of the "Cisco Application Control Engine Module SSL Configuration Guide".  example:
  ssl url rewrite location bnecas\.mycompany\.com sslport 443
  That part works, the http header location field that comes back from the GET request is changed to https://cas.mycompany.com which is great.  However, in addition to that url, there is also a path or something following that part.  The actual string that is returned is:
  https://cas.mycompany.com/owa/auth/logon.aspx?url=http://cas.mycompany.com/owa/&reason=0
  The first bit of it, (https://cas.mycompany.com) is changed by the ssl url rewrite command, however the last part (http://cas.mycompany.com/owa/&reason=0) isn't changed.
  This is where I've been trying to get the http Header Rewrite command to do something.  I don't know if it can work in conjunction with the ssl url rewrite function however with the ssl rewrite function it seems it can't change bits of the string that aren't the pure URL at the front.
  The end result is that while I have an SSL connection to the OWA login page, when I do login to OWA it reverts back to HTTP.  I'm fairly sure it is because of the last part of the location string above.  Is there a way to change that location string to do the following:
  1.  change the first part of the string to be https://cas.mycompany.com (like the ssl url rewrite function)
  2.  change the last part of the location string to put https in there instead of http
  Ideally I would love to have this string
  http://cas.mycompany.com/owa/auth/logon.aspx?url=http://cas.mycompany.com/owa/&reason=0
  replaced with this one
  https://cas.mycompany.com/owa/auth/logon.aspx?url=https://cas.mycompany.com/owa/&reason=0
  I had originally tried the following in the action list:
  header rewrite response location header-value "(owa/auth/logon\.aspx\?url=)http(://bnecas\.thiess\.aus/owa/&reason=0)" replace "%1https%2"
  ssl url rewrite location bnecas\.mycompany\.com sslport 443
  but it didn't work.  I'm probably screwing up the regex somewhere however there doesn't seem to be very clear examples anywhere I can find.
  Any help will be greatly appreciated and of course I will be sure to rate every post that responds to my plea for help.
  Brad

  Hi Brad,
  try this:
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  action-list type modify http X
    header rewrite response Location header-value "http://(.*url=)http://(.*)" replace "https://%1https://%2"
  we wont be using ssl url rewrite in this case
  Also we will be needing persistence rebalance applied through application parameter map and apply that under the VIP class