topic ACE:LB several https services using same client(public) IP addre in Application Networking

ACE:LB several https services using same client(public) IP address

ajtm — Wed, 12 Sep 2012 00:06:22 GMT

Works perfectly with http but doesn't with https:

class-map type http loadbalance match-all domain_mysite2

2 match http header Host header-value "www.mysite2.com"

class-map match-any vip_http

2 match virtual-address 192.168.99.100 tcp eq www

class-map match-any vip_https

2 match virtual-address 192.168.99.100 tcp eq https

policy-map type loadbalance first-match L7_policymap

class domain_mysite2

serverfarm sfarm_SFARM2

class class-default

serverfarm sfarm_SFARM1

policy-map multi-match L4_policymap

class vip_http

loadbalance vip inservice

loadbalance policy L7_policymap

loadbalance vip icmp-reply active

class vip_https

loadbalance vip inservice

loadbalance policy L7_policymap

loadbalance vip icmp-reply active

Need urgent help.

ACE:LB several https services using same client(public) IP addre

Kanwaljeet Singh — Wed, 12 Sep 2012 00:20:34 GMT

Hi,

Your requirement is not clear but for ACE to load balance on the basis of host header value, ACE should be able to look at the http header which will not happen in your case if you are not using SSL termination on it which means that it will hit default policy.

Just on the basis of L4, it should work fine.

Regards,

Kanwal

ACE:LB several https services using same client(public) IP addre

ajtm — Wed, 12 Sep 2012 06:40:16 GMT

How can I do it only with L4 if I just have one IP address?

Regards,

Antonio

ACE:LB several https services using same client(public) IP addre

Kanwaljeet Singh — Wed, 12 Sep 2012 06:43:35 GMT

Hi,

You can differentiate on the basis of TCP ports.

class-map match-any vip_http

2 match virtual-address 192.168.99.100 tcp eq www

class-map match-any vip_http

2 match virtual-address 192.168.99.100 tcp eq 443

Regards,

Kanwal

ACE:LB several https services using same client(public) IP addre

ajtm — Wed, 12 Sep 2012 06:50:03 GMT

Hi Kanwal,

Unfortunately it is not possible to use different ports because the clients are not aware - they just type https://www.mysite.com or https://www.mysite2.com and the DNS resolves both URL's to same IP address. Do I have any other option besides SSL termination?

Regards,

Antonio

ACE:LB several https services using same client(public) IP addre

Kanwaljeet Singh — Wed, 12 Sep 2012 06:59:27 GMT

Hi Antonio,

For ACE to take decision on the basis of host header value, it needs to decrypt the traffic, so there is no other way.

Second workaround would be to make a change in DNS zone file and resolve mysite2.com to some other IP address which is a VIP on ace but using SSL termination is a better option since you will offload SSL to ACE which is cpu intensive and ACE can take decision on the basis of L7 information since now it can look into the HTTP header.

Regards,

Kanwal

ACE:LB several https services using same client(public) IP addre

ajtm — Wed, 12 Sep 2012 07:13:57 GMT

Hi Kanwal,

The clients are on the internet and I just have an ASA Firewall in the midle, so I think it's not possible to use the "DNS trick".

Regarding the SSL offload option, how can I do it? I'm aware that I need to upload the certificate and key to the ACE and that I need to create the SSL proxy service and add these two files to it. But I have some doubts regarding the class and policy configuration since I want to preserve the remaining configuration.

Regards,

Antonio

ACE:LB several https services using same client(public) IP addre

Kanwaljeet Singh — Wed, 12 Sep 2012 08:03:29 GMT

Hi,

You just need to add SSL proxy in policy multi-match under class vip_https.

Regards,

Kanwal

ACE:LB several https services using same client(public) IP addre

Kanwaljeet Singh — Wed, 12 Sep 2012 08:10:24 GMT

Hi Antonio,

Have a look at this below as well for details.

Example of an SSL Termination Configuration

The following example illustrates a running configuration of the ACE acting as an SSL proxy server; terminating SSL or TLS connections from a client and then establishing a TCP connection to an HTTP server. When the ACE terminates the SSL or TLS connection, it decrypts the cipher text from the client and transmits the data as clear text to the HTTP server. The SSL termination-specific configuration elements appear in bold in the example.

access-list ACL1 line 10 extended permit ip any any

probe https GEN-HTTPS

port 80

interval 50

faildetect 5

expect status 200 200

rserver SERVER1

ip address 172.27.16.11

inservice

rserver SERVER2

ip address 172.27.16.12

inservice

rserver SERVER3

ip address 172.27.16.13

inservice

rserver SERVER4

ip address 172.27.16.14

inservice

serverfarm host SFARM1

description SERVER FARM 1 FOR SSL TERMINATION

probe GEN-HTTPS

rserver SERVER1 80

inservice

rserver SERVER2 80

inservice

serverfarm host SFARM2

description SERVER FARM 2 FOR SSL TERMINATION

probe GEN-HTTPS

rserver SERVER3 80

inservice

rserver SERVER4 80

inservice

parameter-map type ssl PARAMMAP_SSL_TERMINATION

cipher RSA_WITH_3DES_EDE_CBC_SHA

cipher RSA_WITH_AES_128_CBC_SHA priority 2

cipher RSA_WITH_AES_256_CBC_SHA priority 3

version all

parameter-map type connection TCP_PARAM

syn-data drop

exceed-mss allow

ssl-proxy service SSL_PSERVICE_SERVER

ssl advanced-options PARAMMAP_SSL_TERMINATION

key MYKEY.PEM

cert MYCERT.PEM

class-map type http loadbalance match-all L7_SERVER_CLASS

description Sticky for SSL Testing

2 match http url .*.jpg

3 match source-address 192.168.130.0 255.255.255.0

class-map type http loadbalance match-all L7_SLB-HTTP_CLASS

2 match http url .*

3 match source-address 192.168.130.0 255.255.255.0

class-map match-all L4_SSL-TERM_CLASS

description SSL Termination VIP

2 match virtual-address 192.168.130.11 tcp eq https

policy-map type loadbalance first-match L7_SSL-TERM_POLICY

class L7_SERVER_CLASS

serverfarm SFARM1

insert-http I_AM header-value "SSL_TERM"

insert-http SRC_Port header-value "%ps"

insert-http DEST_IP header-value "%id"

insert-http DEST_Port header-value "%pd"

insert-http SRC_IP header-value "%is"

class L7_SLB-HTTP_CLASS

serverfarm SFARM1

insert-http I_AM header-value "SSL_TERM"

insert-http SRC_Port header-value "%ps"

insert-http DEST_IP header-value "%id"

insert-http DEST_Port header-value "%pd"

insert-http SRC_IP header-value "%is"

policy-map multi-match L4_SSL-VIP_POLICY

class L4_SSL-TERM_CLASS

loadbalance vip inservice

loadbalance policy L7_SSL-TERM_POLICY

loadbalance vip icmp-reply

ssl-proxy server SSL_PSERVICE_SERVER

connection advanced-options TCP_PARAM

interface vlan 120

description Upstream VLAN_120 - Clients and VIPs

ip address 192.168.120.1 255.255.255.0

fragment chain 20

fragment min-mtu 68

access-group input ACL1

nat-pool 1 192.168.120.70 192.168.120.80 netmask 255.255.255.0 pat

service-policy input L4_SSL-VIP_POLICY

no shutdown

ip route 10.1.0.0 255.255.255.0 192.168.120.254

Regards,

Kanwal

ACE:LB several https services using same client(public) IP addre

Cesar Roque — Wed, 12 Sep 2012 20:26:00 GMT

Hi Antonio,

You also will need a SNA certificate to make it work

ACE:LB several https services using same client(public) IP addre

ajtm — Fri, 14 Sep 2012 08:39:48 GMT

Hi Kanwal,

In your configuration all the https traffic is terminated in ACE. Is it possible to terminate only this particulary traffic ( I think not)?

Regards,

Antonio

ACE:LB several https services using same client(public) IP addre

Surya ARBY — Mon, 17 Sep 2012 21:09:09 GMT

If all your sites are under the same domain; the most simple solution is to use a cross domain certificate (*.domain.com)

otherwise you can use a multi domain certificate (using SAN field : Subject Alternative Name)

SNI (server name indication) is the cleanest way to do it but it's not supported by all browsers / load balancers.