ACE http header rewrite
hi
is there any chance to change my requeste on ace like this?
the request is http://www.xpto.com and i need to be rewrite to http://xpto.com
thanks in advance
Antero
Hi Antero,
Yes, this is possible. Just check the link below for more details
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/slb/guide/classlb.html#wp1151822
Assuming "http://www.xpto.com" is the only request you want to rewrite, the syntax of the action would be "header rewrite request Host header-value www.xpto.com replace xpto.com"
If, however, you need to create this action in a more generic way so that any URL is rewritten in the same format, you would need to use a regular expression. In this case, it would be something similar to the following (I didn't test it, so I'm not 100% sure that the regex is correct) "header rewrite request Host header-value www\.(.*)\.com replace %1.com"
I hope this helps
Daniel
Similar Messages
-
Cisco ACE - dynamic header rewrite
Can the ACE do dynamic http host and URL rewrites using an action list and variables?
I need to rewrite a URL like this...
http://*.domain.com rewritten to http://www.domain.com/user1/*
For example...
http://mikeyd.domain.com would be rewritten to http://www.domain.com/user1/mikeyd
... and so on for a large number of user names at the beginning of the URL string.
I am trying to find the action-list syntax for header rewrite and having trouble figuring this out. Would a redirection be a better option?
Thanks, in advance, for any help with this.It's more related to disaster recovery planning than ACE configuration
The cleanest way is to use L2 extension.
Otherwise you can use VMWare SRM to change the ip addresses of your VMs, or run an OSPF process and replicate all the subnets and put it in the "shutdown state" (or announcing it with a very high cost, proximity routing will do the rest - ACE module can do this for the VIPs with OSPF route health injection, ACE4710 doesn't support RHI but on the upstream router you can define an IP SLA probe and perform conditionnal redistribution), or use a dummy VRF with all your subnets and when enabling DRP, perform route leaking... use NAT with DNS-based failover etc...
There is no generic answer to your problem. -
Guys,
I need to setup ACE to do the below:
The client will call a url: https://server1.com.br
- Ace will terminate this ssl with a certificate of my internal ca imported to ACE;
Then, I need ACE to rewrite the url to https://host01.com.br/appl using a certificate generated by the Application Server and also imported to ACE.
It's possible?So, you have client authentication cofigured on your real server ? (I mean , very often HTTPS only uses certificate on server side)
If yes - no problem you can configure such type of SSL initiation too, however we can rewrite http header but we can't change URL (and https://server1.com.br to https://host01.com.br/app are URLs)
Example of HTTP header and some small explanations :
http://www.http.header.free.fr/http.html
And in that example you can change only these parts :
>> Host: www.http.header.free.fr
>> Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
>> Accept-Language: Fr
>> Accept-Encoding: gzip, deflate
>> User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 4.0)
>> Connection: Keep-Alive
You can't change these :
URL : "http://www.http.header.free.fr/http.html". Your browser connects to www.http.header.free.fr and sends :
>> GET /http.html Http1.1 -
Hi,
I have for example a site http://abc.com which response back with the port on which it's being used on the server ex: http://abc.com:9081
How would I rewrite the response remove the port on the server that is being used.
Thank you,Hi,
You have rewrite the 30x redirect response from server or is it a normal response?
You can try below:
(config)# action-list type modify http H
(config-actlist-modify)# header rewrite response Location header-value http://abc.com:9008 replace http://abc.com
I am using header name as Location. Please use according to your need.
I haven't tried this myself but it should work. Try and let me know.
Regards,
Kanwal -
What is the syntax for rewriting the destination port for a HTTP request?
For Example: Rewriting "http://www.test123.com" TO "http://www.test123.com:81"
Thanks!Hi,
The simple solution is to specify port at rserver level to the desired port. In your case it should be like this :
host1/Admin(config-sfarm-host)# rserver SERVER1 81
this is from the documentation which explain the same:
Associating a Real Server with a Server Farm
You can associate one or more real servers with a server farm and enter real-server server-farm configuration mode by using the rserver command in either server farm host or server farm redirect configuration mode. The real server must already exist. For information about configuring a real server, see the "Configuring Real Servers" section. You can configure a maximum of 16,384 real servers in a server farm. The syntax of this command is as follows:
rserver name [port]
The arguments are as follows:
•name—Unique identifier of an existing real server. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.
•port—(Optional) Port number used for the real server port address translation (PAT). Enter an integer from 1 to 65535.
If you choose not to assign a port number for the real server association with the server farm, the default behavior by the ACE is to automatically assign the same destination port that was used by the inbound connection to the outbound server connection. For example, if the incoming connection to the ACE is a secure client HTTPS connection, the connection is typically made on port 443. If you do not assign a port number to the real server, the ACE will automatically use port 443 to connect to the server, which results in the ACE making a clear-text HTTP connection over port 443. In this case, you would typically define an outbound destination port of 80, 81, or 8080 for the backend server connection.
For example, to identify real server SERVER1 and specify port 80 for the outgoing connection, enter:
host1/Admin(config-sfarm-host)# rserver SERVER1 80
host1/Admin(config-sfarm-host-rs)#
Hope that helps.
regards,
Ajay Kumar -
CSS11506 http header rewrite question
Hi
I read the ACE doc, and it said that cisco ACE supports the capability to rewrite http headers in both client requests and server responses. Is CSS11506 can do it?
I have a lot of problems that application on the local server redirect https to http. Because the way they do installation which standard way and it can not fix or hardly to fix.
I would like to get a tip to let css11506 rewrite the server's rewrite. is it possible?
Any comments will be appropriated
Thanks in advice
julxuHello Julxu,
If I understand your question correctly, you are looking for the CSS rewrite the URL from http to https when the server sends a redirect to the client. If I'm correct, then you can find out how to accomplish this in the Specifying Secure URL Rewrite sectioin of the CSS configuration guides.
Hope this helps,
Sean -
ACE http/https redirect or rewrite
Greetings,
We have a setup that requires ACE http/https redirection or rewrite.
A client connects to a secured Web portal which has its ssl termination on the ACE.
The web portal will request from the client a redirection to another application. As the portal is unaware that the incoming client https request was terminated on the ACE,
the client receives the redirect request for an unsecured http URL rather than for the secured https URL.
In this case what would be best to use? ACE "rewrite" or "redirect"?
Will the following example config for ACE "redirect" be sufficent to implement this?
ssl-proxy service ssl-App-443-81
key app1.test.com.key
cert app1.test.com.cert
rserver redirect App-secure-redirect
webhost-redirection https://app1.test.com/Go/
inservice
serverfarm redirect App-secure-redirect-sf
rserver App-secure-redirect
inservice
serverfarm host App-81-sf
probe TCP81
rserver proxy1 81
inservice
rserver proxy2 81
inservice
parameter-map type http http_param_map
header modify per-request
sticky http-cookie App-cookie App-sticky
cookie insert
replicate sticky
serverfarm App-81-sf
class-map match-any App-443-81-cm
2 match virtual-address 10.10.10.112 tcp eq https
class-map match-any App-81-cm
2 match virtual-address 10.10.10.112 tcp eq 81
class-map type http loadbalance App-secure-redirect-cm
match http url http://app1.test.com:81/Go/
policy-map type loadbalance http first-match App-rewrite-pm
class App-secure-redirect-cm
serverfarm App-secure-redirect-sf
policy-map type loadbalance http first-match App-sticky-443-81-pm
class class-default
sticky-serverfarm App-sticky
policy-map multi-match policy-inbound
class App-81-cm
loadbalance vip inservice
loadbalance policy App-rewrite-pm
loadbalance vip icmp-reply active
loadbalance vip advertise active
class App-443-81-cm
loadbalance vip inservice
loadbalance policy App-sticky-443-81-pm
loadbalance vip icmp-reply active
loadbalance vip advertise active
appl-parameter http advanced-options http_param_map
ssl-proxy server ssl-App-443-81If you are offloading www.yoursite.com on ACE and on the backend
real servers are not ssl aware (sends URL with http://) then with
following sample config you can instruct ACE to rewrite such urls (http->https)
class-map match-all VIP-443
match virtual-address x.x.x.x tcp eq https
action-list type modify http HTTP2HTTPS-REWRITE
ssl url rewrite location www\.yoursite\.* sslport 443 clearport 80
policy-map type loadbalance first-match YOUR-POLICY
class class-default
serverfarm YOUR-SFARM
action HTTP2HTTPS-REWRITE
class VIP-443
loadbalance vip inservice
loadbalance policy YOUR-POLICY
loadbalance vip icmp-reply active
ssl-proxy server YOUR-SSL-SERVICE
You need Ace2.x+ on Ace module & 3.x+ on 4710 appliance for this feature.
Syed Iftekhar Ahmed -
ACE: wrong IP in HTTP header HEALTHCHECK packet
Hi,
I encounter a strange problem with ACE when the blade performs a HTTP healthcheck towards a RSERVER.
Sometimes, ACE insert in the HTTP header a strange IP address, others then the IP address of the rserver, for which it performs a healthcheck.
Anyone encountered the same problem?
Thx, WimHi Gillis,
I reported this issue to our integrator. I think they will open a cisco case right now.
We are able to reproduce this problem. So, that might not be the problem to troubleshoot at this moment.
For your information, we had version A1.6 running until last week. Now, we upgraded to A2, but the healthcheck issue is still present.
I assume you 'll informed via the support case? -
Load Balancing with ACE using HTTP Header information
Hello,
I am trying to setup a class-map using http loadbalance match-all.
What I want to do is check for the HTTP Host and if it doesnot match the http referer than go to server farm A. if it does match then go to server farm B.
My problem is the host can be serveral different values as well as the referer. Can you setup varibales in the ACE so I can store the value from http host and compare it against http referer?
Thanks
Mike C.It should be like this (If you want to use separate class maps for referrer & Host).
class-map type http loadbalance match-any site1-HostHDR
2 match http header Host header-value ".*site1.com"
class-map type http loadbalance match-any site1-Referer
2 match http header Referer header-value "http://site1.*"
class-map type http loadbalance match-any site2-HostHDR
2 match http header Host header-value ".*site2.com"
class-map type http loadbalance match-any site2-Referer
2 match http header Referer header-value "http://site2.*"
class-map type http loadbalance match-all Site1-policy
2 match class-map site1-HostHDR
3 match class-map site1-Referer
class-map type http loadbalance match-all Site2-policy
2 match class-map site2-HostHDR
3 match class-map site2-Referer
policy-map type loadbalance http first-match Site1
class Site1-policy
serverfarm SFarm-A
class Site2-policy
serverfarm SFarm-A
class class-default
serverfarm SFARm-B
Syed Iftekhar Ahmed -
ACE One-Arm Source-NAT HTTP Header Insert
Hellow ACE Gurus,
This is probably a dumb question but I'm looking for info on HTTP Header Insert for SSL sessions. Does the HTTP header re-write action list work for SSL traffic? I guess I'm not clear on whether or not the header is encrypted and if the ACE can modify on an HTTPS session. Any input would be greatly appreciated.
/r
RobHi Rob,
When using HTTPS, all the data is encrypted, including the HTTP headers.
In such a situation, if you want to insert headers (or do any other kind of L7 processing), you will have to configure the ACE to do SSL termination. Once the connection is decrypted, the ACE can do any processing it needs before sending the connection towards the server either in clear text or again using HTTPS.
I would recommend you to have a look at the link below. This is an example of how to configure an ACE for end-to-end SSL (so, HTTPS on both sides of the ACE). In the example, the only L7 processing that is being done is matching on the URL, but it would be enough to replace that part with whatever header insertion commands you need
http://www.cisco.com/en/US/partner/products/hw/modules/ps2706/products_configuration_example09186a00809c6f37.shtml
If you still need more help to understand any of the points involved in the process, please, do not hesitate to contact me again.
Regards
Daniel -
Load Balance Reverse Poxy using ACE and HTTP Header Sticky
Dear all,
I have a reverse proxy that makes HTTP and HTTPS requests to an ACE.
For implement persistence I want to configure HTTP HEADER Stickyness using the X-Forwarder-For information but I don't know:
How to implement it ( I'l apreciate a little example about it).
Which values I need for OFFSET and LENGHT fields.
Can you help me please?
Thanks a lot!!Hi Cesar.
Thanks a lot for your answer but I think you misunderstand the question or I'm not explaninig very well
I don't need to insert anything.
The serverfarm X will be accesed by a reverse proxy. This reverse proxy already inserts the X-Forearder-From header, so the request from the reverse proxy comes with this header to the serverfarm X.
The problem is that now, the serverfarm X sticky the client based on source IP. This is a wrong behavior becasue all the request comes form the same source (Reverse proxy) and all the load forwards to the same real IP address.
This is because I want to change the sticky from source IP to HTTP header and looks for the X-Forwarder-For filed.
Hop it will clarify the question! -
HTTP header insertion problem with ACE
Hi
I try to configure the HTTP header insertion feature based on the action-list type modify http. Unfortunately it does not works.
The config looks like that
action-list type modify http TEST
header insert both Host header-value test:test.
I added this action-list to the correct policy-map.
When I checked the snifer output on the server side, there is no test value in the HTTP header.
I test the same feature based on the "insert-http" command in the policy-map and this one works.
Could anybody help me with this problem?
Thank you in advance
Regards
LucasHi Lukas,
Add a new parameter-map named PRMAP_PERST_REBLNC and add this to the policy map using command appl-parameter http advanced-options PRMAP_PERST_REBLNC as shown below:
action-list type modify http test-insert
header insert both My-Header header-value test
header insert both SSL header-value TRUE
policy-map type loadbalance http first-match HtppInsert
class class-default
serverfarm linux1-80
action test-insert
policy-map multi-match SLB1
class VIP-122-80
loadbalance vip inservice
loadbalance policy HtppInsert
loadbalance vip icmp-reply active
loadbalance vip advertise active
loadbalance vip advertise metric 1
connection advanced-options SetTos
appl-parameter http advanced-options PRMAP_PERST_REBLNC
parameter-map type http PRMAP_PERST_REBLNC
persistence-rebalance
Hope this will make all the packets are inserted with the http header not the first one only.
If it works then plz inform.
Kind Regards.
Sachin Garg -
302 Redirect Location Header Rewrite not working with code upgrade
Hi,
Description:
We have a portal webservice hosted by an ACE4710. It has two services (www/https) on the same IP 10.1.1.1.
One is a redirect service that redirects all requests to tcp/80 on this ip to the other which is a 'standard' https proxy service.
The backend servers are http only. Externally everything needs to be https.
So we have an ssl proxy and Location header http to https rewrite on the https service.
The configuration below operates correctly on v5_1_2.
But with a code upgrade to 5_3_1b, the Location header rewrite does not work.
We've tried several different configurations and even 'ssl url location rewrite ".*". It just looks like the ACE is completely ignoring the configuration to rewrite the Location field.
Reverting to the older code fixes the problem.
Problem seen:
Here is the problem as seen on the *client*. The 302 redirect Location header is NOT rewritten:
Response headers:
HTTP/1.1 302 FOUND
Server: nginx
Date: Fri, 20 Mar 2015 10:59:43 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 295
Connection: keep-alive
Location: http://website.liveportal.nhs.uk/homepage/information
Cache-Control: no-cache, no-store
Set-Cookie: information=35a7831d-928d-4122-aef3-39ef48ac4440; Path=/; secure; HttpOnly
X-Frame-Options: DENY
HTTPSampleResult fields:
ContentType: text/html; charset=utf-8
DataEncoding: utf-8
Config extract:
1) Set up the servers (4 normal on tcp/80 and one for a redirect)
rserver host WEBSERVICE-1
ip address 192.168.1.1
conn-limit max 200000 min 160000
inservice
...and the same for the other three
rserver redirect PORTAL_REDIRECT
webhost-redirection https://%h/%p 302
inservice
2) Set up the server farms
serverfarm host PORTAL_LIVE
probe webping
rserver WEBSERVICE-1 80
inservice
rserver WEBSERVICE-2 80
inservice
rserver WEBSERVICE-3 80
inservice
rserver WEBSERVICE-4 80
inservice
serverfarm redirect PORTAL_HTTP_REDIRECT
rserver PORTAL_REDIRECT
inservice
3) Setup the ssl proxy and a location rewrite to https for responses from the servers
action-list type modify http HTTPS_LOCATION
header rewrite response Location header-value "http://(.*)" replace "https://%1"
ssl-proxy service WEB_SSL_PROXY
key webportal.key
cert webportal.crt
chaingroup root-chain
ssl advanced-options SSL-SECURE-STRONG-WEB
4) Set up the L4 services
class-map match-all PORTAL_HTTP
2 match virtual-address 10.1.1.1 tcp eq www
class-map match-all PORTAL_SSL
2 match virtual-address 10.1.1.1 tcp eq https
5) Setup the policy maps - one for the reals servers with header rewrite for redirects
policy-map type loadbalance http first-match PORTAL_HTTP
class class-default
serverfarm PORTAL_HTTP_REDIRECT
policy-map type loadbalance http first-match PORTAL_SSL
class class-default
serverfarm PORTAL_LIVE
action HTTPS_LOCATION
6) Create the service policy
policy-map multi-match EXTERNAL-SERVICES
class PORTAL_SSL
loadbalance vip inservice
loadbalance policy PORTAL_SSL
loadbalance vip icmp-reply
appl-parameter http advanced-options PARAM-HTTP
ssl-proxy server WEB_SSL_PROXY
class PORTAL_HTTP
loadbalance vip inservice
loadbalance policy PORTAL_HTTP
loadbalance vip icmp-reply
7) Apply to the interface
interface vlan 211
description External Access
ip address x.x.x.x 255.255.255.0
alias x.x.x.x 255.255.255.0
peer ip address x.x.x.x 255.255.255.0
access-group input PERMIT-ALL
service-policy input EXTERNAL-SERVICES
no shutdownI found that the v5_3_1b code seems to need a bit of extra configuration and it now works ok.
parameter-map type http PARAM_HTTP
header modify per-request
no persistence-rebalance
case-insensitive -
Http header insertion with MSISDN
Hi
I know that we can define a http header insertion on the ACE to insert a custom header and a string in to the value. Is there a way for me to insert a dynamic string read from a database in to the value field. My exact requirement is to insert the MSISDN of mobile subscribers in to their http traffic. The MSISDN can be extracted form the Radius accounting messages
Any ideas, I have no clue as to how to do such a thing.
thanksI don't know about this feature. I think it's not possible. ACE can insert/generate only cookie. All other L7 methods (e.g. http header) are using existing data in communication.
MSISDN inserting to http header/uri is role of wap-gw, or something like that device in data flow process.
martin -
ACE - HTTPS CLASS MAP CONFIGURATION
Hi,
We have a secured web site (HTTPS) currently fronted by Cisco ACE 4170, running version A5(1.2). We are trying to use the http class map to manipulate the traffic flow in the following manner:
https://abc.com/ABC/* -> serverfarm#1
https://abc.com/* -> serverfarm#2 (Default)
Tecnically this should not be difficult and below is a sample of our configuration. We have similar configuration working on our non-secured web site (HTTP) However for the secure web site, the https request https://abc.com/ABC/xxx is continued being routed to serverfarm#2 instead of serverfarm#1 which is very frustrating.
We can easily get this working on my F5 LTM within 5 minutes but this Cisco ACE continue to frustrate me...Appreciate if any expert on Cisco ACE can help to advise on our configuration.. Thanks.
=========================================================
serverfarm host serverfarm#1
predictor leastconns
probe https_probe
rserver rs_server#1
inservice
rserver rs_server#2
inservice
serverfarm host serverfarm#2
predictor leastconns
probe https_probe
rserver rs_server#3
inservice
rserver rs_server#4
inservice
sticky http-cookie STICKY_HTTPS_serverfarm#1
cookie insert browser-expire
timeout 15
replicate sticky
serverfarm serverfarm#1
sticky http-cookie STICKY_HTTPS_serverfarm#2
cookie insert browser-expire
timeout 15
replicate sticky
serverfarm serverfarm#2
class-map type http loadbalance match-any class-map-serverfarm#1
2 match http url /ABC/.*
policy-map type loadbalance first-match vs_serverfarm_https
class class-map-serverfarm#1
sticky-serverfarm STICKY_HTTPS_serverfarm#1
insert-http x-forward header-value "%is"
ssl-proxy client ssl_serverfarm
class class-default
sticky-serverfarm STICKY_HTTPS_serverfarm#2
insert-http x-forward header-value "%is"
ssl-proxy client ssl_serverfarm
=========================================================Kanwaljeet,
Yes, we are using ACE for SSL termination i.e. front end is https and back-end is also https.
We are doing end-to-end encryption as our IT security and audit wanted end-to-end encryption between the client and servers. ACE should be able to look at the HTTP header at the front end since the client SSL session is terminate on the ACE.
Below is an extract of the configuration, I've leave out the remaining configuration which is not required.
=========================================================
serverfarm host serverfarm#1
predictor leastconns
probe https_probe
rserver rs_server#1
inservice
rserver rs_server#2
inservice
serverfarm host serverfarm#2
predictor leastconns
probe https_probe
rserver rs_server#3
inservice
rserver rs_server#4
inservice
sticky http-cookie STICKY_HTTPS_serverfarm#1
cookie insert browser-expire
timeout 15
replicate sticky
serverfarm serverfarm#1
sticky http-cookie STICKY_HTTPS_serverfarm#2
cookie insert browser-expire
timeout 15
replicate sticky
serverfarm serverfarm#2
class-map match-all vs_serverfarm
2 match virtual-address 10.178.50.140 tcp eq https
class-map type http loadbalance match-any class-map-serverfarm#1
2 match http url /ABC/.*
policy-map type loadbalance first-match vs_serverfarm_https
class class-map-serverfarm#1
sticky-serverfarm STICKY_HTTPS_serverfarm#1
insert-http x-forward header-value "%is"
ssl-proxy client ssl_serverfarm
class class-default
sticky-serverfarm STICKY_HTTPS_serverfarm#2
insert-http x-forward header-value "%is"
ssl-proxy client ssl_serverfarm
policy-map multi-match PRODWEB_POLICY
class vs_serverfarm
loadbalance vip inservice
loadbalance policy vs_serverfarm_https
loadbalance vip icmp-reply active
nat dynamic 100 vlan 100
ssl-proxy server ssl_serverfarm
=========================================================
Maybe you are looking for
-
My shiny new iMac doesn't seem to want to stay at the angle I put it at. Does anyone know any way of tightening up the stand or is it an Applecare job? Thanks
-
Having just started using LR, I only have a couple hundred image imported so far. The maxed out CPUs have convinced me to get a more powerful PC. Is there a published procedure for moving the installation and data to a new PC? Also, what about the LR
-
Hi Gurus, I have the following problem.I created smartform with 2 pages. These 2 pages are not similar but there is some thing in common. In first page i have 4 windows (including main window) and in second page i have 2 windows including main window
-
Hello, I've had my mac mini (combo drive) for 4 months only and I have used it before to burn music cd's from itunes, however when I recently tried to burn a music cd again I got the error message "the attempt to burn a disc failed. The drive failed
-
When I try to play music on my phone, it won't switch songs -- just plays the same song over and over again. This is true whether shuffle is turned on or not. How do I make this stop? This phone is brand new!