09-11-2012 05:06 PM
Works perfectly with http but doesn't with https:
class-map type http loadbalance match-all domain_mysite2
2 match http header Host header-value "www.mysite2.com"
class-map match-any vip_http
2 match virtual-address 192.168.99.100 tcp eq www
class-map match-any vip_https
2 match virtual-address 192.168.99.100 tcp eq https
policy-map type loadbalance first-match L7_policymap
class domain_mysite2
serverfarm sfarm_SFARM2
class class-default
serverfarm sfarm_SFARM1
policy-map multi-match L4_policymap
class vip_http
loadbalance vip inservice
loadbalance policy L7_policymap
loadbalance vip icmp-reply active
class vip_https
loadbalance vip inservice
loadbalance policy L7_policymap
loadbalance vip icmp-reply active
Need urgent help.
09-11-2012 05:20 PM
Hi,
Your requirement is not clear but for ACE to load balance on the basis of host header value, ACE should be able to look at the http header which will not happen in your case if you are not using SSL termination on it which means that it will hit default policy.
Just on the basis of L4, it should work fine.
Regards,
Kanwal
09-11-2012 11:40 PM
How can I do it only with L4 if I just have one IP address?
Regards,
Antonio
09-11-2012 11:43 PM
Hi,
You can differentiate on the basis of TCP ports.
class-map match-any vip_http
2 match virtual-address 192.168.99.100 tcp eq www
class-map match-any vip_http
2 match virtual-address 192.168.99.100 tcp eq 443
Regards,
Kanwal
09-11-2012 11:50 PM
Hi Kanwal,
Unfortunately it is not possible to use different ports because the clients are not aware - they just type https://www.mysite.com or https://www.mysite2.com and the DNS resolves both URL's to same IP address. Do I have any other option besides SSL termination?
Regards,
Antonio
09-11-2012 11:59 PM
Hi Antonio,
For ACE to take decision on the basis of host header value, it needs to decrypt the traffic, so there is no other way.
Second workaround would be to make a change in DNS zone file and resolve mysite2.com to some other IP address which is a VIP on ace but using SSL termination is a better option since you will offload SSL to ACE which is cpu intensive and ACE can take decision on the basis of L7 information since now it can look into the HTTP header.
Regards,
Kanwal
09-12-2012 12:13 AM
Hi Kanwal,
The clients are on the internet and I just have an ASA Firewall in the midle, so I think it's not possible to use the "DNS trick".
Regarding the SSL offload option, how can I do it? I'm aware that I need to upload the certificate and key to the ACE and that I need to create the SSL proxy service and add these two files to it. But I have some doubts regarding the class and policy configuration since I want to preserve the remaining configuration.
Regards,
Antonio
09-12-2012 01:03 AM
Hi,
You just need to add SSL proxy in policy multi-match under class vip_https.
Regards,
Kanwal
09-12-2012 01:10 AM
Hi Antonio,
Have a look at this below as well for details.
Example of an SSL Termination Configuration
The following example illustrates a running configuration of the ACE acting as an SSL proxy server; terminating SSL or TLS connections from a client and then establishing a TCP connection to an HTTP server. When the ACE terminates the SSL or TLS connection, it decrypts the cipher text from the client and transmits the data as clear text to the HTTP server. The SSL termination-specific configuration elements appear in bold in the example.
access-list ACL1 line 10 extended permit ip any any
probe https GEN-HTTPS
port 80
interval 50
faildetect 5
expect status 200 200
rserver SERVER1
ip address 172.27.16.11
inservice
rserver SERVER2
ip address 172.27.16.12
inservice
rserver SERVER3
ip address 172.27.16.13
inservice
rserver SERVER4
ip address 172.27.16.14
inservice
serverfarm host SFARM1
description SERVER FARM 1 FOR SSL TERMINATION
probe GEN-HTTPS
rserver SERVER1 80
inservice
rserver SERVER2 80
inservice
serverfarm host SFARM2
description SERVER FARM 2 FOR SSL TERMINATION
probe GEN-HTTPS
rserver SERVER3 80
inservice
rserver SERVER4 80
inservice
parameter-map type ssl PARAMMAP_SSL_TERMINATION
cipher RSA_WITH_3DES_EDE_CBC_SHA
cipher RSA_WITH_AES_128_CBC_SHA priority 2
cipher RSA_WITH_AES_256_CBC_SHA priority 3
version all
parameter-map type connection TCP_PARAM
syn-data drop
exceed-mss allow
ssl-proxy service SSL_PSERVICE_SERVER
ssl advanced-options PARAMMAP_SSL_TERMINATION
key MYKEY.PEM
cert MYCERT.PEM
class-map type http loadbalance match-all L7_SERVER_CLASS
description Sticky for SSL Testing
2 match http url .*.jpg
3 match source-address 192.168.130.0 255.255.255.0
class-map type http loadbalance match-all L7_SLB-HTTP_CLASS
2 match http url .*
3 match source-address 192.168.130.0 255.255.255.0
class-map match-all L4_SSL-TERM_CLASS
description SSL Termination VIP
2 match virtual-address 192.168.130.11 tcp eq https
policy-map type loadbalance first-match L7_SSL-TERM_POLICY
class L7_SERVER_CLASS
serverfarm SFARM1
insert-http I_AM header-value "SSL_TERM"
insert-http SRC_Port header-value "%ps"
insert-http DEST_IP header-value "%id"
insert-http DEST_Port header-value "%pd"
insert-http SRC_IP header-value "%is"
class L7_SLB-HTTP_CLASS
serverfarm SFARM1
insert-http I_AM header-value "SSL_TERM"
insert-http SRC_Port header-value "%ps"
insert-http DEST_IP header-value "%id"
insert-http DEST_Port header-value "%pd"
insert-http SRC_IP header-value "%is"
policy-map multi-match L4_SSL-VIP_POLICY
class L4_SSL-TERM_CLASS
loadbalance vip inservice
loadbalance policy L7_SSL-TERM_POLICY
loadbalance vip icmp-reply
ssl-proxy server SSL_PSERVICE_SERVER
connection advanced-options TCP_PARAM
interface vlan 120
description Upstream VLAN_120 - Clients and VIPs
ip address 192.168.120.1 255.255.255.0
fragment chain 20
fragment min-mtu 68
access-group input ACL1
nat-pool 1 192.168.120.70 192.168.120.80 netmask 255.255.255.0 pat
service-policy input L4_SSL-VIP_POLICY
no shutdown
ip route 10.1.0.0 255.255.255.0 192.168.120.254
Regards,
Kanwal
09-12-2012 01:26 PM
Hi Antonio,
You also will need a SNA certificate to make it work
09-14-2012 01:39 AM
Hi Kanwal,
In your configuration all the https traffic is terminated in ACE. Is it possible to terminate only this particulary traffic ( I think not)?
Regards,
Antonio
09-17-2012 02:09 PM
If all your sites are under the same domain; the most simple solution is to use a cross domain certificate (*.domain.com)
otherwise you can use a multi domain certificate (using SAN field : Subject Alternative Name)
SNI (server name indication) is the cleanest way to do it but it's not supported by all browsers / load balancers.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide