cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
1719
Views
0
Helpful
7
Replies

ACE 4710 - SSL config questions

dclee
Level 1
Level 1

Currently migrating over from  our CSS to the new ACE and I have a few questions re: SSL certs and VIPS

All of our inbound SSL connections terminate on the CSS and redirect a backend HTTP request to an internal server.

Right now we URL match on the incoming header to determine which server to send it to and we have 2 flavours of inbound headers.

one is an english URL test.english.ca

one is a french URL  test.french.ca

I have wildcard SSL certs *.english.ca and *.french.ca and because of this on the CSS I end up having to use 2 VIPS..one for english and one for french as I cant specify 2 certs for one VIP.

Is there anyway around this on the ace ?

Any help would be appreciated.

Cheers


Dave                  

7 Replies 7

cpomeroy
Level 1
Level 1

I think this is what you are asking for.  It will terminate ssl, translate to port 80, send url test.english.ca to one serverfarm and test.french.ca to another serverfarm.

class-map type http loadbalance match-all url1

match http url /test.french.ca/.*

class-map type http loadbalance match-all url2

match http url /test.english.ca/.*

class-map match-all EXAMPLE_L4

  2 match virtual-address 17.170.239.252 tcp eq https

serverfarm host Serverfarm1

  rserver Server1 80

   inservice

  rserver Server2 80

   inservice

serverfarm host Serverfarm1

  rserver Server3 80

   inservice

  rserver Server4 80

   inservice

ssl-proxy service SSLWILDCARDCERT

  key key.key

  cert cert.cert

policy-map type loadbalance first-match EXAMPLE_L7

  class url1

    sticky-serverfarm Serverfarm1

  class url2

    sticky-serverfarm Serverfarm2

policy-map multi-match VIPS

  class EXAMPLE_L4

    loadbalance vip inservice

    loadbalance policy EXAMPLE_L7

    loadbalance vip icmp-reply active    

    ssl-proxy server SSLWILDCARDCERT

I guess he wants to look to the pattern in the Host field of the http header embedded in HTTPS; not into the URL.

Cesar Roque
Level 4
Level 4

Hi Dave,

If I understand your question correctly the answer is no.  You can't have two certificates associated to the same VIP address.

The SSL handshake goes first and once the traffic is decrypted the ACE can look at the HTTP headers, at that moment you can use a L7 match to choose where to send the request depending on the URI, Host header, etc.

-------------------------

Cesar R

--------------------- Cesar R ANS Team

Hello.

Is there any plan to support SNI in the roadmap to overcome this limitation ?

ajayku2
Cisco Employee
Cisco Employee

Hi Dave,   From the description it appears that you are trying to bind mutiple certs with one vip.   On Ace you can't specify 2 certs for one VIP. You can use different combination of port for the same VIP which will work for you. In real world situation this may not feasible.   The point is how ACE will decide what cert to give to Client. As ACE does not know which website the user is requesting.   Remember SSL handshake happens first and then HTTP request comes into picture. So there is no way for ACE to decide what certificate to give to client. Thats the reason it is always recommended to use two VIP.   In your case since you are using two different wildcard certs. You have to go with two VIP's again or same VIP with different port combinations.  regards, Ajay Kumar

Thanks everyone for the answers...The CSS has the same limitation and I was hoping that had changed with the ACE

Was trying to pull back a couple of pub IP's....

Thanks again.

Cheers


Dave

http://en.wikipedia.org/wiki/Server_Name_Indication#How_SNI_fixes_the_problem           

In all cases the browser has to support SNI.

For generic cases : use a wildcard mask if all the sites are hosted under the same domain, or multiple VIPs or ports to host different virtual servers.

Review Cisco Networking for a $25 gift card