Login
- Table of Contents
-
- 04-Layer 3—IP Services Configuration Guide
- 00-Preface
- 01-ARP configuration
- 02-IP addressing configuration
- 03-DHCP configuration
- 04-DNS configuration
- 05-mDNS gateway configuration
- 06-mDNS relay configuration
- 07-IP forwarding basics configuration
- 08-Fast forwarding configuration
- 09-Adjacency table configuration
- 10-IRDP configuration
- 11-IP performance optimization configuration
- 12-UDP helper configuration
- 13-IPv6 basics configuration
- 14-DHCPv6 configuration
- 15-IPv6 fast forwarding configuration
- 16-Tunneling configuration
- 17-GRE configuration
- 18-HTTP redirect configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 18-HTTP redirect configuration | 69.21 KB |
Restrictions: Hardware compatibility with HTTP redirect
HTTP redirect tasks at a glance
Specifying the HTTPS redirect listening port number
Associating an SSL server policy with the HTTPS redirect service
Enabling the endpoint denylist feature for HTTP redirect
Display and maintenance commands for HTTP redirect
Configuring HTTP redirect
About HTTP redirect
HTTP redirect is a method to redirect users' HTTP or HTTPS requests to a specific URL.
It is used in the following features:
· Redirect URL assignment in 802.1X authentication, MAC authentication, and port security.
· EAD assistant URL redirection in 802.1X authentication.
· URL redirection services in portal.
Restrictions: Hardware compatibility with HTTP redirect
The S5130S-EI-G, S5100-D-G, and S5500-D-G switch series do not support HTTP redirect.
HTTP redirect tasks at a glance
No configuration is required to redirect HTTP requests.
To redirect HTTPS requests, perform the following tasks:
1. Specifying the HTTPS redirect listening port number
2. (Optional.) Associating an SSL server policy with the HTTPS redirect service
3. (Optional.) Enabling the endpoint denylist feature for HTTP redirect
Specifying the HTTPS redirect listening port number
About this task
The device can redirect HTTPS requests only after you specify the TCP port number on which the HTTPS redirect service listens for HTTPS requests.
Restrictions and guidelines
To avoid service unavailability caused by port conflict, do not specify a TCP port number used by a well-known protocol or used by any other TCP-based service. To display TCP port numbers that have been used by services, use the display tcp command. For more information about this command, see IP performance optimization commands in Layer 3—IP Services Command Reference.
If you perform this task multiple times, the most recent configuration takes effect.
Procedure
1. Enter system view.
system-view
2. Specify the HTTPS redirect listening port number.
http-redirect https-port port-number
By default, the HTTPS redirect listening port number is 6654.
Associating an SSL server policy with the HTTPS redirect service
About this task
An SSL server policy is a set of SSL parameters used by the device when the device acts as the SSL server. You can configure parameters such as supported cipher suites and whether to perform digital certificate-based authentication on SSL clients for the SSL server policy.
You can use one of the following local certificates for HTTPS redirect service according to the security requirements and the configuration complexity:
· Self-signed certificate—Using this type of certificate is simple in configuration but has low security. You do not need to associate an SSL server policy with the HTTPS redirect service and the default SSL parameters are used. However, a self-signed certificate is not trusted by the browser. When the device redirects HTTPS requests to the specified URL, a certificate security warning prompt might appear on the browser. If you accept the security risks stated in the prompt, you can ignore the prompt to browse the page.
· CA-signed certificate—Using this type of certificate is complex in configuration but has high security. You must obtain a CA certificate, request a local certificate from the CA, create an SSL server policy, and associate the SSL server policy with the HTTPS redirect service.
For more information about digital certificates, see PKI in Security Configuration Guide. For more information about the SSL server policy configuration, see SSL in Security Configuration Guide.
Restrictions and guidelines
HTTPS redirect is unavailable if the associated SSL server policy does not exist. You can first associate a nonexistent SSL server policy with the HTTPS redirect service and then configure the SSL server policy.
If you change the SSL server policy associated with the HTTPS redirect service, the new policy takes effect immediately.
If you perform this task multiple times, the most recent configuration takes effect.
Procedure
1. Enter system view.
system-view
2. Associate an SSL server policy with the HTTPS redirect service.
http-redirect ssl-server-policy policy-name
By default, no SSL server policy is associated with the HTTPS redirect service. The HTTPS redirect service uses the self-assigned certificate and the default SSL parameters.
Enabling the endpoint denylist feature for HTTP redirect
About this task
In portal authentication scenarios, the device redirects HTTP/HTTPS requests of users to the portal authentication page. When users frequently initiate HTTP/HTTPS requests and trigger redirection to the authentication page, the device processes many HTTP/HTTPS packets. This causes high CPU usage, which affects normal services. To avoid this issue, you can enable the endpoint denylist feature for HTTP redirect.
This feature enables the device to use the configured denylist parameters to uniquely identify endpoint entries by IP or MAC address and collect statistics on the received users' HTTP redirect packets. When the device detects that the number of HTTP redirect packets sent by a user reaches the threshold for adding an endpoint denylsit entry during the statistics period, the device will add the user's IP or MAC address to the endpoint denylist entry.
After a user's IP or MAC address is added to an endpoint denylist entry, the device stops redirecting HTTP packets from that user until the entry expires or the administrator removes the entry.
Restrictions and guidelines
After you enable this feature, if you edit the endpoint denylist parameters again, the device clears the existing endpoint denylist entries and restarts collecting statistics on users' HTTP redirect packets.
Procedures
1. Enter system view.
system-view
2. Enable the endpoint denylist feature for HTTP redirect.
http-redirect endpoint-denylist enable [ packet packet-count ] [ period period ] [ aging-time aging-time ] [ ipbase | macbase ]
By default, the endpoint denylist feature is disabled for HTTP redirect.
Display and maintenance commands for HTTP redirect
Execute display commands in any view and execute reset commands in user view.
|
Task |
Command |
|
Display endpoint denylist entries for HTTP redirect. |
display http-redirect endpoint-denylist [ interface interface-type interface-number ] [ ip ipv4-address | ipv6 ipv6-address | mac mac-address ] [ slot slot-number ] |
|
Delete endpoint denylist entries for HTTP redirect. |
reset http-redirect endpoint-denylist [ ip ipv4-address | ipv6 ipv6-address | mac mac-address ] |
