ACE 4710 - SSL Termination with multiple certs.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-03-2011 11:11 AM
Hi!
I have a site that I'm load balancing using an ACE 4710. The FQDN of this site is mysite.mydomain.net.
My users only connect via SSL. However, while most use the FQDN of https://mysite.mydomain.net/, some insist on using https://mysite/. Both of these names point to the same vip of 10.10.10.100.
I have two SSL proxies for termination set up in my ACE context. One has a cert associated with it for the FQDN, while the other has a cert for the "mysite" name.
My problem is that you define the SSL proxy SERVER in the multi-match class rules. However, I don't think that using a layer-7 class map is possible here, so I can't match on header just for the hostname. How can I define a different SSL proxy SERVER so that connections to https://mysite/ are terminated with the correct cert, while connections to https://mysite.mydomain.net/ are terminated on a different server with the correct cert?
Thanks for the help.
- Labels:
-
Application Networking
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-03-2011 11:45 AM
The feature you want is SNI (server name indication) but it's not implmented yet and some browsers limitations make this feature unusable in production currently.
Workarounds :
1 - Use a Subject Alternative Name certificate with both names
2 - Use a CNAME record in the DNS infrastructure, it may work (to be tested)
3 - make a single SSL Vserver, match the Host field in the HTTP headers and the send a redirection to the right name.
