基于URL重定向

核心配置：

#

interface Vlan-interface2

 ip address 192.168.2.1 255.255.255.0

#

interface Vlan-interface3

 ip address 192.168.3.1 255.255.255.0

#

interface Vlan-interface4

 ip address 192.168.4.1 255.255.255.0

#

interface Vlan-interface5

 ip address 192.168.5.1 255.255.255.0

#

interface GigabitEthernet1/0/1

 port access vlan 2

interface GigabitEthernet1/0/2

 port link-type trunk

 port trunk permit vlan 4 5

interface GigabitEthernet1/0/3

 port access vlan 3

ip route-static 61.159.4.100 32 192.168.4.2   //核心去往虚服务流量上到LB

LB配置：

接口IP地址配置

#

interface GigabitEthernet1/0/0

 port link-mode route

#

interface GigabitEthernet1/0/0.4

 ip address 192.168.4.2 255.255.255.0

 vlan-type dot1q vid 4

#

interface GigabitEthernet1/0/0.5

 ip address 192.168.5.2 255.255.255.0

 vlan-type dot1q vid 5

#

健康性检测配置：

nqa template icmp t2　　　　//这个nqa探测是因为http的探测失败为了测试才创建的

 destination ip 192.168.3.2

nqa template http t1        //nqa http探测模板

 expect status 200

 version v1.1

创建实服务器：
real-server rs1

 ip address 192.168.3.2

 port 80

 probe t2    //调用探测模板

 success-criteria at-least 1

loadbalance snat-pool 1    //配置源地址池

 ip range start 61.159.4.100 end 61.159.4.100

创建实服务器组

server-farm sf1

 predictor hash address source

 snat-pool 1   //调用源地址地址组

 probe t2    //调用探测模板

 success-criteria at-least 1

 real-server rs1 port 80

  success-criteria at-least 1

  probe t2

配置参数模板

parameter-profile pp1 type http

 rebalance per-request

配置负载均衡策略：

loadbalance class lc-http type http match-any   //流量特征

 match 1 url /web

loadbalance action http-https type http        //负载均衡动作

 redirect relocation https://61.159.4.100:8080%p

loadbalance policy lp1 type http             //负载均衡策略

 class lc-http action http-https

创建domain和ssl策略

可以使用设备自带的证书进行ssl解密，先将相关的证书导出，然后导入浏览器，再从浏览器中导出证书。

pki domain ca

 public-key rsa general name ca

 usage ssl-server

 undo crl check enable

ssl server-policy ssl

 pki-domain ca

 ciphersuite dhe_rsa_aes_256_cbc_sha rsa_aes_256_cbc_sha dhe_rsa_aes_128_cbc_sha rsa_aes_128_cbc_sha rsa_aes_128_cbc_sha256 rsa_aes_256_cbc_sha256 dhe_rsa_aes_128_cbc_sha256 dhe_rsa_aes_256_cbc_sha256 ecdhe_rsa_aes_128_cbc_sha256 ecdhe_rsa_aes_256_cbc_sha384 ecdhe_rsa_aes_128_gcm_sha256

 ciphersuite ecdhe_rsa_aes_256_gcm_sha384 ecdhe_ecdsa_aes_128_cbc_sha256 ecdhe_ecdsa_aes_256_cbc_sha384 ecdhe_ecdsa_aes_128_gcm_sha256 ecdhe_ecdsa_aes_256_gcm_sha384 ecc_sm2_sm1_sm3 ecc_sm2_sm4_sm3 ecdhe_sm2_sm1_sm3 ecdhe_sm2_sm4_sm3 rsa_sm1_sha rsa_sm1_sm3

 ciphersuite rsa_sm4_sha rsa_sm4_sm3 rsa_aes_128_gcm_sha256 rsa_aes_256_gcm_sha384 tls_aes_128_gcm_sha256 tls_aes_256_gcm_sha384 tls_chacha20_poly1305_sha256 tls_aes_128_ccm_sha256 tls_aes_128_ccm_8_sha256

 certificate-chain-sending enable

 version ssl3.0 disable

 version tls1.0 disable

 ciphersuite server-preferred enable

配置虚拟服务：

virtual-server vs1 type http

 virtual ip address 61.159.4.100

 parameter http pp1

 lb-policy lp1

 default server-farm sf1

 sticky-sync enable global

 service enable

virtual-server vs2 type http

 port 8080

 virtual ip address 61.159.4.100

 parameter http pp1

 default server-farm sf1

 ssl-server-policy ssl

 sticky-sync enable global

 service enable

配置完成验证相关的配置：

使用http://61.159.4.100访问实现页面的跳转到

https://61.159.4.100:8080/web/frame/login.html

抓包进行分析