Document ID: 40749
Contents
Introduction
Prerequisites
Requirements
Components Used
Conventions
Background Theory
Configure
Network Diagram
Configurations
Verify
Troubleshoot
Troubleshoot Procedure
Troubleshoot Commands
NetPro Discussion Forums - Featured Conversations
Related Information
Introduction
This document provides a sample configuration for the Secure Content Accelerator (SCA) urlrewrite feature. SCA offers an easy solution to migrate from traditional web servers with HTTP to secure content servers with Secure HTTP (HTTPS).
Insertion of the SCA in front of the HTTP server enables the SCA to perform all the secure functions necessary to encrypt the HTML document. The SCA is transparent to the clients and servers.
The purpose of this document is to show how the urlrewrite function can overwrite some links to an HTTP document with a link to the same document via HTTPS. This feature is useful when you want to be sure that a user who connects to your server via HTTPS through the SCA does not redirect to a nonsecure (HTTP) document.
Prerequisites
Requirements
Before you attempt this configuration, ensure that you understand these concepts:
-
Content Services Switch (CSS) and SCA basic configuration
-
HTTP and HTTPS protocols
Components Used
The information in this document is based on these software and hardware versions:
-
Cisco CSS 11000 or CSS 11500 that runs any Cisco WebNS software version
-
Cisco SCA or SCA2 that runs 3.2.x or 4.x
The information in this document was created from the devices in a specific lab environment. All of the devices in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Conventions
For more information on document conventions, refer to the Cisco Technical Tips Conventions.
Background Theory
The command syntax is:
-
urlrewrite domainName [sslport portid] [clearport portid] redirectonly
When you have configured the urlrewrite command, the SCA can inspect the full HTML answer to replace all links to a nonsecure document with a link to the same document via HTTPS. For example, if the HTML document contains e <A HREF="http://mycompany.com/images/index.html">images</A>, the SCA replaces it with <A HREF="https://mycompany.com/images/index.html">images</A>.
The SCA can inspect the header only, instead of the full HTML document, and replace the URL that is present in the Location: field. The example below shows the Location: field and the URL that points to a nonsecure page. Specify the redirectonly option for the SCA to only replace the URL in the Location: field.
HTTP/1.1 302 Found Date: Wed, 05 Feb 2003 16:11:58 GMT Server: Apache/2.0.40 (Red Hat Linux) Location: http://tension.mycompany.com:70/images Content-Length: 326 Keep-Alive: timeout=15, max=99 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1
Configure
This section presents the information to configure the features that this document describes.
The configuration of your server should be to redirect users to http://tension.mycompany.com:70. The SCA configuration, accordingly, is to intercept the header field location, http://tension.mycompany.com:70, and replace it with https://tension.mycompany.com.
Note: To find additional information on the commands in this document, use the Command Lookup Tool ( registered customers only) .
Network Diagram
This document uses this network setup:
Configurations
This document uses these configurations:
|
SCA |
|---|
sca# show running-configuration
#
# Cisco SCA Device Configuration File
#
# Written: Sun Jun 20 17:56:41 1970 MDT
# Inxcfg: version 3.2 build 200204302030
# Device Type: CSS-SCA
# Device Id: S/N 118140
# Device OS: MaxOS version 3.2.0 build 200204302029 by reading
### Mode ###
mode one-port
### Interfaces ###
interface network
auto
end
interface server
auto
end
### Device ###
ip address 192.168.1.2 netmask 255.255.255.0
hostname sca
timezone "MST7MDT"
### Password ###
password access "2431244C362461476C67654D485269494C4634772E586A374E39472F"
password enable "2431246E6324386D437A6E714B44567174306565386A775566536931"
### SNTP ###
sntp interval 86400
### Static Routes ###
ip route 0.0.0.0 0.0.0.0 192.168.1.1 metric 1
!--- The default route points to the CSS.
### RIP ###
rip
### DNS ###
ip name-server 10.10.10.1
ip domain-name mycompany.com
### Remote Management ###
no remote-management access-list
remote-management enable
### Telnet ###
telnet enable
### Web Management ###
web-mgmt port 80
web-mgmt enable
### SNMP Subsystem ###
no snmp
### SSL Subsystem ###
ssl
!--- This is the certificate definition.
cert my-cert create
binhex 579
=3082023f308201c9a003020102020100300d06092a864886f70d010104050030
=8187311a301806035504031311676475666f75722e636973636f2e636f6d310b
=3009060355040613025553310b300906035504081302434f310f300d06035504
=07130644656e766572310f300d060355040a13065441432d6d65310b30090603
=55040b130243413120301e06092a864886f70d0109011611676475666f757240
=636973636f2e636f6d301e170d3033303133303037303030305a170d30343031
=33303037303030305a308187311a301806035504031311676475666f75722e63
=6973636f2e636f6d310b3009060355040613025553310b300906035504081302
=434f310f300d0603550407130644656e766572310f300d060355040a13065441
=432d6d65310b3009060355040b130243413120301e06092a864886f70d010901
=1611676475666f757240636973636f2e636f6d307c300d06092a864886f70d01
=01010500036b003068026100aff358226467ed77f0278750048557de683291af
=47fceb89f40572e7d312623581a1d9f9a3d2087cbaeb2e30c402676a7f8c7a6b
=02dc89e45d40d799d38ac93a20fa054809b2692b24bc3742285396c8b91a66e1
=852aa9a23d6b1da0a95083850203010001300d06092a864886f70d01010405 00
=0361006fc579e08b00d5981c7d30f2d6219cb90ac0c203918ae2e961697de7bf
=85e57fbc0db3fa8a73e48bde1127926b780f127abfe7cd13283c8ad4d45f0178
=b8fb2e3aba62622f8127ee1fd840b0738120fc38cf745d72c179331913b1e87b
=f4d3b4
end
!--- This is the web server configuration.
server webserver create
ip address 10.48.67.1
!--- This is the server IP address.
localport 443
!--- This is the localport on which the CSS accepts connection.
remoteport 81
!--- This is the port to which the SCA connects with the server.
!--- The configuration of the CSS is to intercept connection to this port
!--- and load balance over the different servers.
!--- This example uses only one server.
key MyKey
cert my-cert
secpolicy default
session-cache size 20480
session-cache timeout 300
session-cache enable
no transparent
no clientauth enable
clientauth verifydepth 1
clientauth error cert-other-error fail
clientauth error cert-not-provided fail
clientauth error cert-has-expired fail
clientauth error cert-not-yet-valid fail
clientauth error cert-has-invalid-ca fail
clientauth error cert-has-signature-failure fail
clientauth error cert-revoked fail
certgroup clientauth defaultCA
no httpheader client-cert
no httpheader server-cert
no httpheader session
no httpheader pre-filter
httpheader prefix "SSL"
ephrsa
urlrewrite tension.mycompany.com clearport 70 redirectonly
!--- This is the urlrewrite command.
!--- This command matches the http://tension.mycompany.com:70 location
!--- and replaces it with the https://tension.mycompany.com location.
!--- The redirectonly keyword indicates that the only
!--- rewrite should be in the "Location:" field in the HTTP 30x redirect header.
!--- Without the redirectonly keyword, all references to
!--- http://tension.mycompany.com:70 in the server answer convert to HTTPS.
end
end
sca#
|
|
CSS |
|---|
css# show running-config !Generated on 02/04/2003 13:31:17 !Active version: ap0503026s configure !*************************** GLOBAL *************************** dns primary 144.254.6.77 dns suffix cisco.com. ip route 0.0.0.0 0.0.0.0 192.168.1.2 1 ip route 0.0.0.0 0.0.0.0 192.168.150.2 1 !--- These are two default routes. !--- The transparent design requires these routes. !--- Refer to the !--- Cisco CSS 11000 Secure Content Accelerator Configuration Guide Index !--- for more information. ip route 144.254.0.0 255.255.0.0 10.48.66.1 1 !************************* INTERFACE ************************* interface e2 bridge vlan 149 interface e3 bridge vlan 161 !************************** CIRCUIT ************************** circuit VLAN1 ip address 10.48.66.6 255.255.254.0 !--- This is the servers VLAN. circuit VLAN149 ip address 192.168.1.1 255.255.255.0 !--- This is the SCA VLAN. circuit VLAN161 ip address 192.168.150.1 255.255.255.0 !--- This is the clients VLAN. !************************** SERVICE ************************** service SSL1 ip address 192.168.1.2 active !--- This is the definition of the SCA. service tension ip address 10.48.66.123 protocol tcp port 80 active !--- This is the definition of the web server. !*************************** OWNER *************************** owner MyCompany content SSL !--- This is the SSL rule to intercept HTTPS traffic !--- and forward it to the SCA. protocol tcp vip address 10.48.67.1 add service SSL1 port 443 active content SSL2WWW !--- This is decrypted traffic from the SCA to the !--- HTTP web server. vip address 10.48.67.1 protocol tcp port 81 add service tension active content WWW !--- This part of the configuration allows you access !--- to the server in nonsecure mode, if desired. vip address 10.48.67.1 protocol tcp port 80 add service tension active CSS# |
Verify
This section provides information you can use to confirm your configuration works properly.
The Output Interpreter Tool ( registered customers only) provides support for certain show commands. The tool allows you to view an analysis of show command output.
-
show summary—Checks the number of hits on the different rules.
css# show summary Global Bypass Counters: No Rule Bypass Count: 102 Acl Bypass Count: 0 Owner Content Rules State Services Service Hits MyCompany SSL Active SSL1 17 WWW Active tension 11 SSL2WWW Active tension 19 css# -
show netstat—Determines if the SCA listens on the right port, and if there are any connections.
sca# show netstat Pro State Recv-Q Send-Q Local Address Remote Address R-Win S-Win --------------------------------------------------------------------------- tcp ESTAB 0 0 192.168.1.2:4156 10.48.67.1:81 33304 6432 tcp ESTAB 0 0 192.168.1.2:443 192.168.2.15:3106 33580 16560 udp 0 0 *:4099 *:* 0 0 udp 0 0 *:4098 *:* 0 0 tcp LISTN 0 0 *:2932 *:* 0 0 udp 0 0 *:2932 *:* 0 0 udp 0 0 *:520 *:* 0 0 udp 0 0 *:514 *:* 0 0 tcp LISTN 0 0 *:443 *:* 32768 0 tcp LISTN 0 0 *:80 *:* 32768 0 tcp LISTN 0 0 *:23 *:* 0 0 sca#
Refer to the ESTAB (established) connections. One is a connection with the client (192.168.2.15), and one is a connection with the web server through the CSS (10.48.67.1)
Troubleshoot
This section provides information you can use to troubleshoot your configuration.
A troubleshoot of this scenario is difficult because of the encryption of all the traffic from the client up to the SCA.
Troubleshoot Procedure
Follow these instructions to troubleshoot your configuration:
-
Check for connectivity to the server via HTTP.
Be sure that the redirect works properly.
-
Check to be sure that you can access the server via HTTPS through the CSS/SCA.
Use a page that does not require redirection. If this check fails, issue the show summary command if there is traffic on the CSS.
-
If you do not see any hits on the SSL rule, check the service and content rule status. If necessary, use a sniffer in front of the CSS to determine if traffic comes in.
-
If you see hits on the SSL rule but not on the SSL2WWW rule, issue the show netstat command on the SCA if there is a connection with the client on the SSL port. If not, check for possible SSL errors with the issue of the show ssl statistics command and the show ssl errors command.
-
If you see hits on the SSL and SSL2WW rules, but you are still not able to access the server, use a sniffer of the client to determine if messages do not come directly from the web server.
-
-
If HTTPS connections work but redirection does not, place a sniffer in front of the server to determine the Location: field value and if it matches the one in the SCA configuration.
Troubleshoot Commands
-
show ssl errors
sca# show ssl errors ------------------------------ For 'sca': SSL Negotiation Errors (SNE) : 0 Total SSL Connections Rejected no resources : 0 Ssl Accept Errors : 0 SSL System Write Errors to client : 0 SSL Write Broken Connection Errors to client : 0 SSL System Read Errors from client : 0 SSL Read Broken Connection Errors from client : 0 System Write Errors to remote server : 0 Broken Connection Write Errors to remote server : 0 System Read Errors from remote server : 0 Broken Connection Read Errors from remote server : 0 System Call Error Histogram for Client SSL Connections System Call Error Histogram for Server Connections ------------------------------
-
show ssl statistics
sca# show ssl statistics ------------------------------ For 'sca': Active Client Connections (AC): 0 Active Server Connections: 0 Active Sockets (AS): 1 SSL Negotiation Errors (SNE): 0 Total Socket Errors (TSE): 0 Connection Errors to remote Server (CES): 0 Total Connection Block Errors (TCBE): 0 Total SSL Connections Refused: 0 Total SSL Connections Rejected (TSCR): 0 Total Connections Accepted (TCA): 41 Total RSA Operations in Hardware (TROH): 15 Total SSL Negotiations Succeeded (TSNS): 41 ------------------------------
NetPro Discussion Forums - Featured Conversations
| NetPro Discussion Forums - Featured Conversations for CDN |
| Emerging Technologies: Content Networking |
Related Information
- Content Networking Downloads ( registered customers only)
- Content Networking Devices Technical Support
- Technical Support - Cisco Systems
| Updated: Jan 31, 2006 | Document ID: 40749 |