ACE 4710 - SSL config questions

dclee · ‎05-29-2012

Currently migrating over from our CSS to the new ACE and I have a few questions re: SSL certs and VIPS

All of our inbound SSL connections terminate on the CSS and redirect a backend HTTP request to an internal server.

Right now we URL match on the incoming header to determine which server to send it to and we have 2 flavours of inbound headers.

one is an english URL test.english.ca

one is a french URL test.french.ca

I have wildcard SSL certs *.english.ca and *.french.ca and because of this on the CSS I end up having to use 2 VIPS..one for english and one for french as I cant specify 2 certs for one VIP.

Is there anyway around this on the ace ?

Any help would be appreciated.

Cheers

Dave

cpomeroy · ‎05-29-2012

I think this is what you are asking for. It will terminate ssl, translate to port 80, send url test.english.ca to one serverfarm and test.french.ca to another serverfarm.

class-map type http loadbalance match-all url1

match http url /test.french.ca/.*

class-map type http loadbalance match-all url2

match http url /test.english.ca/.*

class-map match-all EXAMPLE_L4

2 match virtual-address 17.170.239.252 tcp eq https

serverfarm host Serverfarm1

rserver Server1 80

inservice

rserver Server2 80

inservice

serverfarm host Serverfarm1

rserver Server3 80

inservice

rserver Server4 80

inservice

ssl-proxy service SSLWILDCARDCERT

key key.key

cert cert.cert

policy-map type loadbalance first-match EXAMPLE_L7

class url1

sticky-serverfarm Serverfarm1

class url2

sticky-serverfarm Serverfarm2

policy-map multi-match VIPS

class EXAMPLE_L4

loadbalance vip inservice

loadbalance policy EXAMPLE_L7

loadbalance vip icmp-reply active

ssl-proxy server SSLWILDCARDCERT

Surya ARBY · ‎05-29-2012

I guess he wants to look to the pattern in the Host field of the http header embedded in HTTPS; not into the URL.

Cesar Roque · ‎05-29-2012

Hi Dave,

If I understand your question correctly the answer is no. You can't have two certificates associated to the same VIP address.

The SSL handshake goes first and once the traffic is decrypted the ACE can look at the HTTP headers, at that moment you can use a L7 match to choose where to send the request depending on the URI, Host header, etc.

-------------------------

Cesar R

--------------------- Cesar R ANS Team

Surya ARBY · ‎05-29-2012

Hello.

Is there any plan to support SNI in the roadmap to overcome this limitation ?

ajayku2 · ‎05-30-2012

Hi Dave, From the description it appears that you are trying to bind mutiple certs with one vip. On Ace you can't specify 2 certs for one VIP. You can use different combination of port for the same VIP which will work for you. In real world situation this may not feasible. The point is how ACE will decide what cert to give to Client. As ACE does not know which website the user is requesting. Remember SSL handshake happens first and then HTTP request comes into picture. So there is no way for ACE to decide what certificate to give to client. Thats the reason it is always recommended to use two VIP. In your case since you are using two different wildcard certs. You have to go with two VIP's again or same VIP with different port combinations. regards, Ajay Kumar

dclee · ‎05-30-2012

Thanks everyone for the answers...The CSS has the same limitation and I was hoping that had changed with the ACE

Was trying to pull back a couple of pub IP's....

Thanks again.

Cheers

Dave

Surya ARBY · ‎05-30-2012

http://en.wikipedia.org/wiki/Server_Name_Indication#How_SNI_fixes_the_problem

In all cases the browser has to support SNI.

For generic cases : use a wildcard mask if all the sites are hosted under the same domain, or multiple VIPs or ports to host different virtual servers.