Re: ACE - Inspection per VIP and other Questions

Roble Mumin · ‎09-04-2006

I have my ACE up and running with SLB for HTTP, terminating SSL and inspection for the traffic flowing through the ACE.

One thing i haven't figured out yet is how to let the ACE distinguish between inspecting only the VIP traffic versus inspecting the whole traffic flowing through the routed VLAN.

My service-policy is currently bound on the xfer net VLAN which also services the VIP.

I made a "match url" rule with action reset for the regex "admin". If try to access the link "slb.foo.local/admin" via the VIP it works but it unfortunatly also works if i access the real servers in the VLAN behind the ACE directly.

A: Any idea how to solve that with best practice?

B: I haven't found a way to create a self signed certificate so far. Is it not implemented or did i just miss it?

C: Is an ACL mandatory to get traffic flowing via the VIP to the real servers? I have the feeling that without an ACL permitting the traffic explicitly there won't be a flow at all.

D: The commands "loadbalance vip icmp-reply active" and "loadbalance vip advertise active" for RHI are now two times in my config. Do i only need them once in my policy or does it make sense to keep them per HTTP and HTTPS Class?

The corresponding config:

class-map match-all HTTP-INSPECT-L4CLASS

description HTTP protcol deep packet inspection

2 match port tcp eq www

class-map type http inspect match-any HTTP-INSPECT-L7CLASS

description HTTP - Deep packet Inspection - Definition

2 match content length range 0 256

3 match url [/]admin

4 match url .asp

class-map match-all L4-VIP-CLASS

2 match virtual-address 10.10.10.85 tcp eq www

class-map match-all L4-VIP-CLASS-SSL

2 match virtual-address 10.10.10.85 tcp eq https

class-map type http loadbalance match-any L7-SLB-CLASS-1

3 match http header Host header-value "10.10.10.85*"

4 match http header Host header-value "slb.foo.local*"

class-map type management match-any REMOTE_ACCESS

2 match protocol ssh any

3 match protocol icmp any

policy-map type management first-match REMOTE_MGM_ALLOW_POLICY

class REMOTE_ACCESS

permit

policy-map type loadbalance first-match L7-SLB-Policy

class L7-SLB-CLASS-1

serverfarm LB-Testfarm

policy-map type inspect http all-match HTTP-INSPECT-L7POLICY

class HTTP-INSPECT-L7CLASS

reset

policy-map multi-match L4-SLB-POLICY

class L4-VIP-CLASS

loadbalance vip inservice

loadbalance policy L7-SLB-Policy

loadbalance vip icmp-reply active

loadbalance vip advertise active

appl-parameter http advanced-options HTTP_PARAMETER_MAP

class L4-VIP-CLASS-SSL

loadbalance vip inservice

loadbalance policy L7-SLB-Policy

loadbalance vip icmp-reply active

loadbalance vip advertise active

ssl-proxy server SSL-PSERVICE-Server

class HTTP-INSPECT-L4CLASS

inspect http policy HTTP-INSPECT-L7POLICY

interface vlan 444

description XFER-ACE

ip address 10.10.10.83 255.255.255.240

access-group input All

access-group output All

service-policy input L4-SLB-POLICY

service-policy input REMOTE_MGM_ALLOW_POLICY

no shutdown

interface vlan 555

description ACE-Server

ip address 10.10.10.97 255.255.255.240

access-group input All

access-group output All

no shutdown

-----

Thanks for reading...

Roble

Gilles Dufour · ‎09-05-2006

Roble,

A/ your config works for me. It does prevent direct access to the servers for /admin.

Could you get a 'sho service-policy L4-SLB-POLICY detail' before and after trying accessing the servers.

Check which pkt counters increase to see if there is a match or not on the right class.

B/ As far as I know, there is no option to signed your certificates from ACE. You'll have to create keys and certificates on a separate device using openssl and then import them into the ACE module.

C/ the ACL is mandatory

D/ If you use a different serverfarm for http then https, and the http servers do down, you may still want the box to advertise the vip.

If not, then having the advertise command only under http or https is ok.

Gilles.

Roble Mumin · ‎09-05-2006

Thanks for the quick answer regarding B,C and D which verified my observations.

Regarding A:

+ There is a match when hitting the VIP

+ There is a match when hitting/accessing the servers.

How to make the rule match ONLY on the vip? :)

Roble

Gilles Dufour · ‎09-05-2006

they both match on the same class ??

Which one ?

could you post the info ?

What version do you run ?

Thanks,

Gilles.

Roble Mumin · ‎09-05-2006

Yup, both hits match on the Inspect class.

But have a look at the show policy you requested.

I found out something interesting as well. If the rserver port!=80 then no match for the inspect rule in case of a direct access.

Made 3 rservers for port 80,8080 and 50000. Only port 80 hit on the "backend" gets the inspect rule hit the rest passes it.

And after thinking about it while writing this post i found the solution myself. Now i know how to fix it. Have a look... :)

class-map match-all HTTP-INSPECT-L4CLASS

description HTTP protcol deep packet inspection

2 match port tcp eq www

3 match destination-address 10.10.10.85 255.255.255.255 <- the magic line

EDIT: Thanks for the fast response as always!

Current hurdle is the stickyness, then i guess i'm through with this nasty little machine. :)

Gilles Dufour · ‎09-06-2006

but that is the vip address.

You should never have a match on this class since it is the same as your vip.

Do you see any hit ?

Are you able to access the real [any non admin url] ?

If you have a solution, that's fine.

I just do not see how this line will allow you to inspect traffic going directly to the real server as I thought you were trying to do.

If you still have an issue, could you send me your complete config.

Thanks,

Gilles.

Roble Mumin · ‎09-06-2006

Hi Gilles!

It is the other way around. I want to inspect ONLY the traffic going to the VIP. If the application administrators access the real servers through the VLAN and not the VIP i want it to pass without inspection. So that is why it is working exactly like i need it now.

I thought i made that clear in my first posting. Before the change the rule matched any port 80 http traffic so boxes being accessed directly where also included in this rule. Since i have narrowed it to VIP and HTTP (80) it is working as intended.

Roble

Gilles Dufour · ‎09-06-2006

ok - makes sense now.

Not sure why I thought this was the other way around.

Gilles.

Roble Mumin · ‎09-11-2006

Gilles hope you still read this thread :)

In another Post you mentioned that the ACE features URL rewriting. I am desperate looking for this feature but can't find it anywhere in the docs.

Since i am terminating ssl on the front and speaking plain http on the back end i have some problems with the portal application and links to non-secure documents.

I don't think i can make the appl. admins fix the problem or make the company for the portal

rewrite the code. (3 letters NOT starting with an I)

From the SCA Docs i found following description which matches my problem.

[quote]

When you have configured the urlrewrite command, the SCA can inspect the full HTML answer to replace all links to a nonsecure document with a link to the same document via HTTPS

[/quote]

EDIT:

Another thing...

I currently redirect all my http traffic to a certain https url with a redirect rserver. Works fine.

I am still thinking about how to solve the same problem with ssl/https portion of my vip.

vip:443 -> redirect to vip:443/url/foo/bar/

I tried something like...

vip:443 -> redirect to vip:444/url/foo/bar/

But somehow that didn't work out. You have a valid "conceptional" approach to this issue?

Roble