Force http traffic to specific interface

Similar Messages

• Redirecting all HTTP traffic to HTTPS that will reverse proxy specific URI

  -- Requirement --
  I have a Sun web server 6.1 SP4 that sits in a DMZ that must securely reverse proxy traffic to an internal application server listening on 443.
  The web server instance has two listen sockets, 80 and 443.
  The web server instance must accept traffic on port 80 but re-direct it to 443 so all subsequent traffic with the client happens over HTTPS.
  HTTPS traffic for "www.mydomain.com/myapp/" must be reverse proxied to the internal app server, "https://myapp.mydomain.com/myapp/".
  -- Current set-up --
  The server reverse proxies both HTTP and HTTPS traffic with the indicated URI.
  How can I constrain the reverse proxying to HTTPS traffic?
  Thanks for your help,
  Jez

  Thanks Chris that worked perfectly.
  Aside
  Before your solution I had (unsuccessfully) tried the following obj.conf directive
  <Client security="false">
  NameTrans fn="redirect" from="/" url-prefix="https://www.mydomain.com/"
  </Client>However, it didn't work - is it not possible to use the <Client security="false"> in this manner?

• WSA blocking HTTPS traffic -allowing HTTP

  We have two S170 WSA appliances configured as Guest Wi-Fi Internet proxy servers.  The local network design is as follows:
  WLC5508 (Foreign)     >>     WLC5508 (Anchor)     >>     ACE20 Context     >>     WSA 170     >>     FWSM     >>     Internet
  Guest traffic is authenticated via WCS using RADIUS but is disabled for now.
  Clients associate to SSID, receive IP address via local DHCP scope on anchor WLC and forward all traffic to DFWG which is ACE20 interface.
  ACE20 has specific class-maps for public DNS use and loadbalance policy-map which forwards all other traffic (excluding DNS) to WSA.
  HTTP traffic works fine, HTTPS traffic fails.  The HTTPS proxy service uses a local self-signed certificate for initial decryption of the session. The browser and WSA negotiates to use TLSv1 then the error below is shown.
  Fails
  57666018.658 32 192.168.244.1 NONE_SSL/200 0 TCP_CONNECT 10.153.9.6:443 - NONE/- - OTHER-NONE-NONE-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-"> - s-ip= 255.255.255.255 s-port= 443 webcat-code= - cs-version= 0 cs-auth-group= - c-port= 54930 cs-bytes= 0 wbrs-score= - wbrs-threat-reason= - wbrs-threat-type= - cs-user-agent= - cs-referer= - cs-cookie= -
  1357666018.760 32 192.168.244.1 NONE_SSL/200 0 TCP_CONNECT 10.153.9.6:443 - NONE/- - OTHER-NONE-NONE-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-"> - s-ip= 255.255.255.255 s-port= 443 webcat-code= - cs-version= 0 cs-auth-group= - c-port= 54931 cs-bytes= 0 wbrs-score= - wbrs-threat-reason= - wbrs-threat-type= - cs-user-agent= - cs-referer= - cs-cookie= -
  1357666018.799 0 192.168.244.1 TCP_DENIED_SSL/403 0 GET https://post.packetconsulting.com:443/owa - NONE/- - BLOCK_ADMIN-HTTPS-NonLocalDestination-NONE-NONE-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-"> - s-ip= 255.255.255.255 s-port= 443 webcat-code= - cs-version= 1 cs-auth-group= - c-port= 54931 cs-bytes= 598 wbrs-score= - wbrs-threat-reason= - wbrs-threat-type= - cs-user-agent= "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; GTB7.4; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET CLR 1.1.4322; InfoPath.2; Tablet PC 2.0; MS-RTC LM 8)" cs-referer= - cs-cookie= -
  I have seen this error posted before but no resolution.  I'm sure this is a config problem, but cannot figure why or where!
  Any ideas, thoughts or help would be great...
  Cheers

  Hi axa,
  This is an access policy blocking the SSL traffic based on the TCP_DENIED_SSL / 403. Also I would suspect that you do not have HTTPS proxy enabled which would be required since your not using port 80 for 443 traffic. I would recommend opening a ticket with the WSA Content Security Team.
  Sincerely,
  Erik Kaiser
  WSA CSE
  WSA Cisco Forums Moderator
  Message was edited by: Erik Kaiser

• How to add a route for a specific interface

  HI,
  i want to make a direct link beetween 2 computers (ubuntu and solaris) with a cross over cable.
  solaris : e1000g0 (192.168.0.212= normal network)
  e1000g1 (172.18.0.2 = network for interconnection beetween ubuntu and solaris
  routing table:
  Destination Gateway Flags Ref Use Interface
  default 192.168.0.245 UG 1 7040 e1000g0
  192.168.0.0 192.168.0.212 U 1 5167 e1000g0
  224.0.0.0 192.168.0.212 U 1 0 e1000g0
  127.0.0.1 127.0.0.1 UH 4 30343 lo0
  ubuntu : eth0 (192.168.0.144 = normal network)
  eth1 (172.18.0.3 = network for interconnection beetween ubuntu and solaris)
  routing table :
  Destination Gateway Genmask Flags MSS Window irtt Iface
  192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
  169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
  0.0.0.0 192.168.0.245 0.0.0.0 UG 0 0 0 eth0
  at the beginning, i was thinking that no route was necessary, but the ping didn't work beetween the two servers.
  so, my question is : how can i add a route for a specific interface on my solaris (i want that the traffic for the network 172.18.0.0 go throught e1000g1)
  thank for your help

  SOLARIS :
  -bash-3.00# ifconfig -a
  lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
  inet 127.0.0.1 netmask ff000000
  e1000g0: flags=1004843<UP,BROADCAST,RUNNING,MULTICAST,DHCP,IPv4> mtu 1500 index 2
  inet 192.168.0.212 netmask ffffff00 broadcast 192.168.0.255
  ether 0:1b:24:f0:7a:fc
  e1000g1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3
  inet 172.18.0.2 netmask ffffff00 broadcast 172.18.0.255
  ether 0:1b:24:f0:7a:fd
  -bash-3.00# netstat -rn
  Routing Table: IPv4
  Destination Gateway Flags Ref Use Interface
  default 192.168.0.245 UG 1 7040 e1000g0
  192.168.0.0 192.168.0.212 U 1 5323 e1000g0
  224.0.0.0 192.168.0.212 U 1 0 e1000g0
  127.0.0.1 127.0.0.1 UH 8 31593 lo0
  -bash-3.00#
  UBUNTU :
  ifconfig
  eth0 Link encap:Ethernet HWaddr 00:1e:c9:d1:22:ea
  inet addr:192.168.0.144 Bcast:192.168.0.255 Mask:255.255.255.0
  inet6 addr: fe80::21e:c9ff:fed1:22ea/64 Scope:Link
  UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
  RX packets:19992226 errors:0 dropped:0 overruns:0 frame:0
  TX packets:9886296 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:1000
  RX bytes:10075930406 (10.0 GB) TX bytes:2847567457 (2.8 GB)
  Interrupt:16 Memory:f8000000-f8012700
  eth1 Link encap:Ethernet HWaddr 00:1e:c9:d1:22:ec
  inet addr:172.18.0.3 Bcast:172.18.0.255 Mask:255.255.255.0
  inet6 addr: fe80::21e:c9ff:fed1:22ec/64 Scope:Link
  UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
  RX packets:919 errors:0 dropped:0 overruns:0 frame:0
  TX packets:905 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:1000
  RX bytes:58816 (58.8 KB) TX bytes:91286 (91.2 KB)
  Interrupt:16 Memory:f4000000-f4012700
  # netstat -rn
  Kernel IP routing table
  Destination Gateway Genmask Flags MSS Window irtt Iface
  192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
  169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
  0.0.0.0 192.168.0.245 0.0.0.0 UG 0 0 0 eth0

• QoS value for http traffic from IP Phone

  Since the phone marks all voice with COS 5 and data traffic with COS 0. Does this also include traffic sourced from the IP Phone http? request when doing Directory Lookups, IP Phone Services.
  Thanks!

  With 4.1 and up (not sure if 4.0 had this), this traffic is marked with TOS 3 or DSCP CS3 (24). You can modify this enterprise parameter to what ever you want.
  DSCP for SCCP Phone-based Services :
  This parameter specifies the Differentiated Service Code Point (DSCP) IP classification for IP phone services on SCCP-based phones, including any HTTP traffic. Note: You must restart SCCP-based phones for this parameter change to take effect.
  This is a required field.
  Default: default DSCP (000000).
  Restart SCCP-based phones for the parameter change to take effect.
  HTH
  Sankar
  PS: please remember to rate posts!

• SG300 Redirect HTTP Traffic to Proxy

  Dear Cisco Community,
  We have the following setup
  1 x SG300 Switch in Layer 3 Mode
  VLAN 100 (Management VLAN)
  VLAN 200 (Data VLAN for Internet Users)
  The SG300 has an IP4 Interface in each VLAN:
  100: 10.1.1.254 / 24
  200: 10.1.2.254 / 24
  The internet gateway (Zyxel USG-100) is located in VLAN 100.
  In order to restrict the web browsing acitivites, we're in the process of implementing a Proxy server (GFI Webmonitor).  Is it possible, to redirect all HTTP and HTTPS traffic which arrives at the SG300's VLAN200 IP interface to the proxy server?  I was thinking of a static route, but then this would apply to all traffic.  Another option would be to block port 80/443 traffic using an ACL I suppose=
  Any input will be highly appreciated, thank you!
  Kind regards,
  Romeo

  Hi Mohamad,
  I've seen this done in slightly different ways.  One way is at the very bottom of the following examples from the Cisco.com CSM-S config guide:
  CSM-S Configuration Examples
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/csms/2.1.1/configuration/guide/cfgxpls.html
  Another way is like this:
  serverfarm REDIRECT
    nat server
    no nat client
     redirect-vserver REDIRECT
      webhost relocation https://www.example.com/
      inservice
  serverfarm SSL_DC
    no nat server
    no nat client
    real 192.168.78.36 local
     inservice
  vserver VSERVER_80
    virtual 192.168.78.35 tcp 80
    serverfarm REDIRECT
    persistent rebalance
    inservice
  vserver VSERVER_443
    virtual 192.168.78.35 tcp 443
    serverfarm SSL_DC
    persistent rebalance
    inservice
  Hope this helps get you started.
  Sean

• Debugging HTTP traffic from iPad with Charles

  Here's a great tip on how to use Charles on your Mac or PC to proxy HTTP traffic from your iPad so you can debug it.
  http://www.ravelrumba.com/blog/ipad-http-debugging/

  Talking of debugging iPad, and Flash apps specifically, I only recently tried out the "Quick publishing for device debugging" option. When you do that, and run the app on the device, you can set Flash to be in a remote debugging session, and on the app screen you type in the IP address of your computer. You can then debug the running app in just the same way you would debug a swf running in your desktop browser. You don't even have to be connected by USB, it works across the wireless network.

• Routing traffice using 2 interfaces

                  my question is whats the best solution for routing internet traffic out one interface and production, management traffic out another interface. using a cisco ISR 2900

  You can use PBR.
  Here are 2 documents with examples:
  http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfpbr_ps1835_TSD_Products_Configuration_Guide_Chapter.html
  https://supportforums.cisco.com/docs/DOC-1634
  HTH

• Capture http traffic between server and proxy

  Hi,
  I am not a solaris admin so I need some help to capture http traffic between proxy and server.
  I used 'snoop port 80' on my proxy server but this command gives me the traffic between client and proxy.
  PS: i do not have access to remote server.
  Thanks
  Linda

  You probably need this instead:
  snoop host server
  where server is the hostname of the server that you are trying to connect to.
  If you have multiple interfaces, you have to be sure you are snooping on the right interface.

• MPF ASA for Web Filtering. Https traffic

  SOURCE: https://supportforums.cisco.com/docs/DOC-1268#Allow_specific_urls
  Hi all,
  I have the following configuration in my ASA  based on guidelines from the above source to allow only certain sites in my home and block all requests to http and https sites. However,requests to HTTP sites are being blocked but not to HTTPS. Only one host in the network can access all sites
  access-list WEBFILTER extended deny tcp host 192.168.254.115 any eq www
  access-list WEBFILTER extended deny tcp host 192.168.254.115 any eq https
  access-list WEBFILTER extended permit tcp any any eq www
  access-list WEBFILTER extended permit tcp any any eq https
  regex allowex1 “website1\.com”
  regex allowex2 “website2\.com”
  class-map type inspect http match-all allow-url-class
  match not request header host regex allowex1
  match not request header host regex allowex2
  class-map allow-user-class
  match access-list WEBFILTER
  policy-map type inspect http allow-url-policy
  parameters
  class allow-url-class
    drop-connection
  policy-map allow-user-url-policy
  class allow-user-class
    inspect http allow-url-policy
  service-policy allow-user-url-policy interface inside
  HOW can the HTTPS traffic be also blocked in the above configuration? What am I missing?
  Thanks in advance for your help
  Juan

  Is it even possible for for MPF ASA to inspect and filter HTTPS traffic? I do not even see it in the options:
  (config)# class-map type inspect ?
  configure mode commands/options:
    dns   Configure a class-map of type DNS
    ftp   Configure a class-map of type FTP
    h323  Configure a class-map of type H323
    http  Configure a class-map of type HTTP
    im    Configure a class-map of type IM
    sip   Configure a class-map of type SIP

• RV320, specific traffic through specific wan port

  Hello all,
  I love the RV320, one of the best routers i've bought in years and it works like a charm with our Fiber connection on WAN1 and Coax Cable on WAN2.
  The only question I have right now, i know it is possible to sent specific traffic (DNS,HTTP etc) through specific WAN ports.
  But would it also be possible in some way to say *.website.com traffic will go through WAN port x only?
  Specific apps we use are only available through an IP coming from the provider we use on WAN2 (cable coax), so it would be handy if we could say that if app this or that and/or website is being called, auto serve it through WAN port x.
  Is this possible and if not, something cisco could  add?      

  Dear Michiel,
  Thank you for reaching Small Business Support Community.
  Besides the service management options available I do not see a particular feature to accomplish your needs. I work on this community forum as an analyst and I am going to mark this post as a business opportunity for improvement of the device.
  Thank you for your comment and please do not hesitate to reach me back if there is anything I may assist you with in the meantime.
  Kind regards,
  Jeffrey Rodriguez S. .:|:.:|:.
  Cisco Customer Support Engineer
  *Please rate the Post so other will know when an answer has been found.

• ISE Guest Portal only redirect HTTPS traffic.

  I have a wireless deployment consisting of the following:
  5760 WLC & ISE 1.2
  Am I missing something here
  I have 4 similar deployments, and never had these issues:
  On Android / Apple devices, the guest portal does not pop up automatically &
  On a Windows Laptop only https traffic directs to the guest portal.
  Thanx

  i think you need to recheck the configuration also check the link for step by step config
  http://www.cisco.com/c/en/us/solutions/enterprise/design-zone-security/landing_DesignZone_TrustSec.html

• How to force HTTPS on a page

  We have registration forms and other pages that collect personal details from users who are registering for the site or submitting other transactions (other than shopping cart purchases). By default these pages are delivered using HTTP under the main website.
  We need these pages to be secured using HTTPS. How can we force  HTTPS on these pages?
  Thanks,
  Colin

  Only way on BC is javascript
  eg:
  var secureURL = "yourdomain.worldsecuresystems.com";
  if ((window.location.protocol == "http:" || location.hostname != secureURL) && location.search.search("A=Template") == -1 && location.search.search("Preview") == -1) window.location = "https://"+secureURL+window.location.pathname;

• How to correct COOKIE + FORCED HTTP METHOD error

  I am running a few pages against the Access Me plug-in in
  firefox and
  received 3 errors..and 2 warnings...
  where do i began to resolve these issues?
  Access Me String Test Results
  FORCED HTTP METHOD
  Attack Details:
  a.. HTTP Method: SECCOMP
  The attacked page is dangerously similar to the original
  page. It is 100%
  similar. Got access to a resource that should be protected.
  Server response
  code:200 OK.
  COOKIE + FORCED HTTP METHOD
  Attack Details:
  a.. Input Parameter: ASP.NET_SessionId
  b.. HTTP Method: SECCOMP
  The attacked page is dangerously similar to the original
  page. It is 100%
  similar. Got access to a resource that should be protected.
  Server response
  code:200 OK.
  COOKIE
  Attack Details:
  a.. Input Parameter: ASP.NET_SessionId
  The attacked page is dangerously similar to the original
  page. It is 100%
  similar. Got access to a resource that should be protected.
  Server response
  code:200 OK.
  FORCED HTTP METHOD
  Attack Details:
  a.. HTTP Method: HEAD
  Got access to a resource that should be protected. Server
  response code:200
  OK. The attacked page is not very similar to the original
  page. It is 0.649%
  similar.
  COOKIE + FORCED HTTP METHOD
  Attack Details:
  a.. Input Parameter: ASP.NET_SessionId
  b.. HTTP Method: HEAD
  Got access to a resource that should be protected. Server
  response code:200
  OK. The attacked page is not very similar to the original
  page. It is 0.649%
  similar.
  ASP, SQL2005, DW8 VBScript, Visual Studio 2005, Visual Studio
  2008

  I think in get_p method you have declared the field type as Value help and in GET_V method you havent filled your value help table. Please check these two methos. Hope this helps you.
  Regards,
  Lakshmi.Y

• Archiving and different Retention period by  specific interface

  We want to specify different Retention period for different interfaces (audit reasons)... and based on search in SDN, it does not seem like this is  supported by SAP...
  Do any of you know if SAP intends to support this in future? Any ideas for overcoming this gap? or is this limitation deliberate (and has been kept in place for a reason)?

  Hi Krish,
  Actually I don't think we have this option of setting the retention period for specific interfaces,
  but for the global interfaces in the system.
  If you want to increase the time for Audit Log messages you need to change parameter 'messaging.auditLog.memoryCache' to false in order to persist the audit logs in PI 7.1 system. Take a look at note #1314974 for more details.
  And notice that after changing the parameter to false, audit logs are persisted till the corresponding messages are deleted. The default retention period of messages on AE is 30 days, keep in mind that it could have a little impact on the data volume.
  To increase the retention time in AFW, go to:
  Services -> XPI Adapter: XI:
  "xiadapter.outbound.persistDuration.default"
  "xiadapter.inbound.persistDuration.default"
  For the Integration Engine, it's under SXMB_ADM -> Integration Engine Configuration and Configuration.
  Regards,
  Caio Cagnani