Guest

Cisco SCA 11000 Series Secure Content Accelerators

Configuring urlrewrite on the Secure Content Accelerator

Cisco - Configuring urlrewrite on the Secure Content Accelerator

Document ID: 40749

Updated: Jan 31, 2006

   Print

Introduction

This document provides a sample configuration for the Secure Content Accelerator (SCA) urlrewrite feature. SCA offers an easy solution to migrate from traditional web servers with HTTP to secure content servers with Secure HTTP (HTTPS).

Insertion of the SCA in front of the HTTP server enables the SCA to perform all the secure functions necessary to encrypt the HTML document. The SCA is transparent to the clients and servers.

The purpose of this document is to show how the urlrewrite function can overwrite some links to an HTTP document with a link to the same document via HTTPS. This feature is useful when you want to be sure that a user who connects to your server via HTTPS through the SCA does not redirect to a nonsecure (HTTP) document.

Prerequisites

Requirements

Before you attempt this configuration, ensure that you understand these concepts:

  • Content Services Switch (CSS) and SCA basic configuration

  • HTTP and HTTPS protocols

Components Used

The information in this document is based on these software and hardware versions:

  • Cisco CSS 11000 or CSS 11500 that runs any Cisco WebNS software version

  • Cisco SCA or SCA2 that runs 3.2.x or 4.x

The information in this document was created from the devices in a specific lab environment. All of the devices in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

For more information on document conventions, refer to the Cisco Technical Tips Conventions.

Background Theory

The command syntax is:

  • urlrewrite domainName [sslport portid] [clearport portid] redirectonly

When you have configured the urlrewrite command, the SCA can inspect the full HTML answer to replace all links to a nonsecure document with a link to the same document via HTTPS. For example, if the HTML document contains e <A HREF="http://mycompany.com/images/index.html">images</A>, the SCA replaces it with <A HREF="https://mycompany.com/images/index.html">images</A>.

The SCA can inspect the header only, instead of the full HTML document, and replace the URL that is present in the Location: field. The example below shows the Location: field and the URL that points to a nonsecure page. Specify the redirectonly option for the SCA to only replace the URL in the Location: field.

HTTP/1.1 302 Found
Date: Wed, 05 Feb 2003 16:11:58 GMT
Server: Apache/2.0.40 (Red Hat Linux)
Location: http://tension.mycompany.com:70/images
Content-Length: 326
Keep-Alive: timeout=15, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

Configure

This section presents the information to configure the features that this document describes.

The configuration of your server should be to redirect users to http://tension.mycompany.com:70. The SCA configuration, accordingly, is to intercept the header field location, http://tension.mycompany.com:70, and replace it with https://tension.mycompany.com.

Note: To find additional information on the commands in this document, use the Command Lookup Tool (registered customers only) .

Network Diagram

This document uses this network setup:

sca_urlrewrite.gif

Configurations

This document uses these configurations:

SCA
sca# show running-configuration 
#
# Cisco SCA Device Configuration File
#
# Written:      Sun Jun 20 17:56:41 1970 MDT
# Inxcfg:       version 3.2 build 200204302030
# Device Type:  CSS-SCA
# Device Id:    S/N 118140
# Device OS:    MaxOS version 3.2.0 build 200204302029 by reading

### Mode ###

mode one-port

### Interfaces ###

interface network
  auto
end
interface server
  auto
end

### Device ###

ip address 192.168.1.2 netmask 255.255.255.0
hostname sca
timezone "MST7MDT"

### Password ###

password access "2431244C362461476C67654D485269494C4634772E586A374E39472F"
password enable "2431246E6324386D437A6E714B44567174306565386A775566536931"

### SNTP ###

sntp interval 86400

### Static Routes ###

ip route 0.0.0.0 0.0.0.0 192.168.1.1 metric 1

!--- The default route points to the CSS.

### RIP ###

rip

### DNS ###

ip name-server 10.10.10.1
ip domain-name mycompany.com

### Remote Management ###

no remote-management access-list
remote-management enable

### Telnet ###

telnet enable

### Web Management ###

web-mgmt port 80
web-mgmt enable

### SNMP Subsystem ###

no snmp

### SSL Subsystem ###

ssl

!--- This is the certificate definition.

  cert my-cert create
binhex 579
=3082023f308201c9a003020102020100300d06092a864886f70d010104050030
=8187311a301806035504031311676475666f75722e636973636f2e636f6d310b
=3009060355040613025553310b300906035504081302434f310f300d06035504
=07130644656e766572310f300d060355040a13065441432d6d65310b30090603
=55040b130243413120301e06092a864886f70d0109011611676475666f757240
=636973636f2e636f6d301e170d3033303133303037303030305a170d30343031
=33303037303030305a308187311a301806035504031311676475666f75722e63
=6973636f2e636f6d310b3009060355040613025553310b300906035504081302
=434f310f300d0603550407130644656e766572310f300d060355040a13065441
=432d6d65310b3009060355040b130243413120301e06092a864886f70d010901
=1611676475666f757240636973636f2e636f6d307c300d06092a864886f70d01
=01010500036b003068026100aff358226467ed77f0278750048557de683291af
=47fceb89f40572e7d312623581a1d9f9a3d2087cbaeb2e30c402676a7f8c7a6b
=02dc89e45d40d799d38ac93a20fa054809b2692b24bc3742285396c8b91a66e1
=852aa9a23d6b1da0a95083850203010001300d06092a864886f70d01010405 00
=0361006fc579e08b00d5981c7d30f2d6219cb90ac0c203918ae2e961697de7bf
=85e57fbc0db3fa8a73e48bde1127926b780f127abfe7cd13283c8ad4d45f0178
=b8fb2e3aba62622f8127ee1fd840b0738120fc38cf745d72c179331913b1e87b
=f4d3b4
end

!--- This is the web server configuration.

  server webserver create
    ip address 10.48.67.1

!--- This is the server IP address.
	 
    localport 443

!--- This is the localport on which the CSS accepts connection.
	 
    remoteport 81


!--- This is the port to which the SCA connects with the server.
!--- The configuration of the CSS is to intercept connection to this port 
!--- and load balance over the different servers.
!--- This example uses only one server.
	 
    key MyKey
    cert my-cert
    secpolicy default
    session-cache size 20480
    session-cache timeout 300
    session-cache enable
    no transparent
    no clientauth enable
    clientauth verifydepth 1
    clientauth error cert-other-error fail
    clientauth error cert-not-provided fail
    clientauth error cert-has-expired fail
    clientauth error cert-not-yet-valid fail
    clientauth error cert-has-invalid-ca fail
    clientauth error cert-has-signature-failure fail
    clientauth error cert-revoked fail
    certgroup clientauth defaultCA
    no httpheader client-cert
    no httpheader server-cert
    no httpheader session
    no httpheader pre-filter
    httpheader prefix "SSL"
    ephrsa
    urlrewrite tension.mycompany.com clearport 70 redirectonly


!--- This is the urlrewrite command.
!--- This command matches the http://tension.mycompany.com:70 location 
!--- and replaces it with the https://tension.mycompany.com location.
!--- The redirectonly keyword indicates that the only 
!--- rewrite should be in the "Location:" field in the HTTP 30x redirect header.
!--- Without the redirectonly keyword, all references to 
!--- http://tension.mycompany.com:70 in the server answer convert to HTTPS.


  end
end
sca# 

CSS
 
css# show running-config 
!Generated on 02/04/2003 13:31:17
!Active version: ap0503026s

configure


!*************************** GLOBAL ***************************
  dns primary 144.254.6.77 
  dns suffix cisco.com. 

  ip route 0.0.0.0 0.0.0.0 192.168.1.2 1 
  ip route 0.0.0.0 0.0.0.0 192.168.150.2 1 


!--- These are two default routes.
!--- The transparent design requires these routes.
!--- Refer to the 
!--- Cisco CSS 11000 Secure Content Accelerator Configuration Guide Index
!--- for more information.
  
  ip route 144.254.0.0 255.255.0.0 10.48.66.1 1 


!************************* INTERFACE *************************
interface e2
  bridge vlan 149 

interface e3
  bridge vlan 161 

!************************** CIRCUIT **************************
circuit VLAN1

  ip address 10.48.66.6 255.255.254.0 

!--- This is the servers VLAN.

circuit VLAN149

  ip address 192.168.1.1 255.255.255.0 

!--- This is the SCA VLAN.

circuit VLAN161

  ip address 192.168.150.1 255.255.255.0 

!--- This is the clients VLAN.

!************************** SERVICE **************************
service SSL1 
  ip address 192.168.1.2 
  active 

!--- This is the definition of the SCA.

service tension 
  ip address 10.48.66.123 
  protocol tcp 
  port 80 
  active 

!--- This is the definition of the web server.

!*************************** OWNER ***************************
owner MyCompany 

  content SSL 


!--- This is the SSL rule to intercept HTTPS traffic 
!--- and forward it to the SCA.
  
    protocol tcp 
    vip address 10.48.67.1 
    add service SSL1 
    port 443 
    active 

  content SSL2WWW 


!--- This is decrypted traffic from the SCA to the
!--- HTTP web server.
  
    vip address 10.48.67.1 
    protocol tcp 
    port 81 
    add service tension 
    active 

  content WWW 


!--- This part of the configuration allows you access 
!--- to the server in nonsecure mode, if desired.
  
    vip address 10.48.67.1 
    protocol tcp 
    port 80 
    add service tension 
    active 

CSS#

Verify

This section provides information you can use to confirm your configuration works properly.

The Output Interpreter Tool (registered customers only) provides support for certain show commands. The tool allows you to view an analysis of show command output.

  • show summary—Checks the number of hits on the different rules.

    css# show summary 
    Global Bypass Counters:
       No Rule Bypass Count:     102
       Acl Bypass Count:         0
    
    Owner            Content Rules    State     Services         Service Hits
    
    MyCompany          SSL              Active    SSL1             17
                                                
                       WWW              Active    tension          11
                                                
                       SSL2WWW          Active    tension          19
                                                
                     
    css# 
  • show netstat—Determines if the SCA listens on the right port, and if there are any connections.

    sca# show netstat
    Pro State Recv-Q Send-Q Local Address         Remote Address        R-Win S-Win
    ---------------------------------------------------------------------------
    tcp ESTAB      0      0 192.168.1.2:4156      10.48.67.1:81         33304  6432
    tcp ESTAB      0      0 192.168.1.2:443       192.168.2.15:3106     33580 16560
    udp            0      0 *:4099                *:*                       0     0
    udp            0      0 *:4098                *:*                       0     0
    tcp LISTN      0      0 *:2932                *:*                       0     0
    udp            0      0 *:2932                *:*                       0     0
    udp            0      0 *:520                 *:*                       0     0
    udp            0      0 *:514                 *:*                       0     0
    tcp LISTN      0      0 *:443                 *:*                   32768     0
    tcp LISTN      0      0 *:80                  *:*                   32768     0
    tcp LISTN      0      0 *:23                  *:*                       0     0
    sca# 

    Refer to the ESTAB (established) connections. One is a connection with the client (192.168.2.15), and one is a connection with the web server through the CSS (10.48.67.1)

Troubleshoot

This section provides information you can use to troubleshoot your configuration.

A troubleshoot of this scenario is difficult because of the encryption of all the traffic from the client up to the SCA.

Troubleshoot Procedure

Follow these instructions to troubleshoot your configuration:

  1. Check for connectivity to the server via HTTP.

    Be sure that the redirect works properly.

  2. Check to be sure that you can access the server via HTTPS through the CSS/SCA.

    Use a page that does not require redirection. If this check fails, issue the show summary command if there is traffic on the CSS.

    • If you do not see any hits on the SSL rule, check the service and content rule status. If necessary, use a sniffer in front of the CSS to determine if traffic comes in.

    • If you see hits on the SSL rule but not on the SSL2WWW rule, issue the show netstat command on the SCA if there is a connection with the client on the SSL port. If not, check for possible SSL errors with the issue of the show ssl statistics command and the show ssl errors command.

    • If you see hits on the SSL and SSL2WW rules, but you are still not able to access the server, use a sniffer of the client to determine if messages do not come directly from the web server.

  3. If HTTPS connections work but redirection does not, place a sniffer in front of the server to determine the Location: field value and if it matches the one in the SCA configuration.

Troubleshoot Commands

  • show ssl errors

    sca# show ssl errors 
    ------------------------------
    
    For 'sca':
    SSL Negotiation Errors (SNE)                      :        0
    Total SSL Connections Rejected no resources       :        0
    Ssl Accept Errors                                 :        0
    SSL System Write Errors to client                 :        0
    SSL Write Broken Connection Errors to client      :        0
    SSL System Read Errors from client                :        0
    SSL Read Broken Connection Errors from client     :        0
    System Write Errors to remote server              :        0
    Broken Connection Write Errors to remote server   :        0
    System Read Errors from remote server             :        0
    Broken Connection Read Errors from remote server  :        0
    System Call Error Histogram for Client SSL Connections
    System Call Error Histogram for Server Connections
    ------------------------------
  • show ssl statistics

    sca# show ssl statistics 
    ------------------------------
    
      For 'sca':
      Active Client Connections (AC):                       0
      Active Server Connections:                            0
      Active Sockets (AS):                                  1
      SSL Negotiation Errors (SNE):                         0
      Total Socket Errors (TSE):                            0
      Connection Errors to remote Server (CES):             0
      Total Connection Block Errors (TCBE):                 0
      Total SSL Connections Refused:                        0
      Total SSL Connections Rejected (TSCR):                0
      Total Connections Accepted (TCA):                    41
      Total RSA Operations in Hardware (TROH):             15
      Total SSL Negotiations Succeeded (TSNS):             41
    ------------------------------

Related Information

Updated: Jan 31, 2006
Document ID: 40749