Currently migrating over from our CSS to the new ACE and I have a few questions re: SSL certs and VIPS
All of our inbound SSL connections terminate on the CSS and redirect a backend HTTP request to an internal server.
Right now we URL match on the incoming header to determine which server to send it to and we have 2 flavours of inbound headers.
one is an english URL test.english.ca
one is a french URL test.french.ca
I have wildcard SSL certs *.english.ca and *.french.ca and because of this on the CSS I end up having to use 2 VIPS..one for english and one for french as I cant specify 2 certs for one VIP.
Is there anyway around this on the ace ?
Any help would be appreciated.
I think this is what you are asking for. It will terminate ssl, translate to port 80, send url test.english.ca to one serverfarm and test.french.ca to another serverfarm.
class-map type http loadbalance match-all url1
match http url /test.french.ca/.*
class-map type http loadbalance match-all url2
match http url /test.english.ca/.*
class-map match-all EXAMPLE_L4
2 match virtual-address 18.104.22.168 tcp eq https
serverfarm host Serverfarm1
rserver Server1 80
rserver Server2 80
serverfarm host Serverfarm1
rserver Server3 80
rserver Server4 80
ssl-proxy service SSLWILDCARDCERT
policy-map type loadbalance first-match EXAMPLE_L7
policy-map multi-match VIPS
loadbalance vip inservice
loadbalance policy EXAMPLE_L7
loadbalance vip icmp-reply active
ssl-proxy server SSLWILDCARDCERT
If I understand your question correctly the answer is no. You can't have two certificates associated to the same VIP address.
The SSL handshake goes first and once the traffic is decrypted the ACE can look at the HTTP headers, at that moment you can use a L7 match to choose where to send the request depending on the URI, Host header, etc.
Hi Dave, From the description it appears that you are trying to bind mutiple certs with one vip. On Ace you can't specify 2 certs for one VIP. You can use different combination of port for the same VIP which will work for you. In real world situation this may not feasible. The point is how ACE will decide what cert to give to Client. As ACE does not know which website the user is requesting. Remember SSL handshake happens first and then HTTP request comes into picture. So there is no way for ACE to decide what certificate to give to client. Thats the reason it is always recommended to use two VIP. In your case since you are using two different wildcard certs. You have to go with two VIP's again or same VIP with different port combinations. regards, Ajay Kumar
Thanks everyone for the answers...The CSS has the same limitation and I was hoping that had changed with the ACE
Was trying to pull back a couple of pub IP's....
In all cases the browser has to support SNI.
For generic cases : use a wildcard mask if all the sites are hosted under the same domain, or multiple VIPs or ports to host different virtual servers.