Cisco ACE re-writing a URL on the fly

This post was the outcome of an issue where a redirection or a re-write of a URL had to be carried out on the fly. The server in this instance was running a webservice on http which re-directed itself to https. The site had a certificate (ideally a SAN certificate would have been the correct implementation) and we had to present the alternative name to the client. In summary, client goes to website A (mycheese.com) this resolves to the IP of VIP which has a server running website B (mytoast.com). The website has a certificate for only website B. We will re-write the url through the ACE and bypass the client seeing an invalid certificate.

<< Man in the Middle ??>>

# rserver host TOAST-SVR
# ip address 100.100.100.100
# inservice
!
# serverfarm host TOAST-SFARM
# failaction reassign
# predictor leastconns
# rserver TOAST-SVR
# inservice
!
# sticky ip-netmask 255.255.255.255 address both TOAST-STICKY
# timeout 60
# replicate sticky
# serverfarm TOAST-SFARM
!
# action-list type modify http HTTP_CHEESE-on-TOAST_REWRITE
# header rewrite request Host header-value “mycheese.bread.com” replace “mytoast.bread.com”
!
# class-map match-any CHEESE-VIP
# 2 match virtual-address 100.100.100.200 tcp eq www
# 4 match virtual-address 100.100.100.200 tcp eq https
!
# policy-map type loadbalance first-match SLB-CHEESE-POLICY
# description Filter traffic matching the VIP
# class class-default
# sticky-serverfarm TOAST-STICKY
# action HTTP_CHEESE-on-TOAST_REWRITE
!
# Policy <<abridged>>
# class CHEESE-VIP
# loadbalance vip inservice
# loadbalance policy SLB-CHEESE-POLICY
# loadbalance vip icmp-reply active
# nat dynamic 200 vlan 100
!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s