cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
613
Views
0
Helpful
2
Replies

ACE SSL Reverse Proxy for multible URLs

g-georgiou
Level 1
Level 1

Hi,

I am trying to setup an ACE as a reverse proxy (one-arm mode) for HTTPS connections for multiple URLs to multiple serverfarms. From what i know i have two options:

1. Use different VIP for each URL and do

L4 loadbalancing or use a

combination of IP address and port.

2. Use different VIP for each URL, do

SSL offloading and do L7 URL based

loadbalancing.

So with these options i am bind to use different IPs for each site. Is there a way i can use one VIP and then offload SSL and do URL based loadbalancing? From my knowledge we are restricted by the nature of the SSL. The reason is that the SSL protocol is a separate layer which encapsulates the HTTP protocol. So the problem is that the SSL session is a separate transaction that takes place before the HTTP session even starts so there is no visibility of the HTTP header.

Any comments appreciated

George Georgiou

1 Accepted Solution

Accepted Solutions

Gilles Dufour
Cisco Employee
Cisco Employee

Geroge,

your understanding is absolutely correct.

We need to know the site in order to decrypt te traffic because the certificate is associated to a domain name.

But without decrypting, we can't see the domain name.

So, the only way to know the domain without decrypting is to allocate a single ip to each domain.

There is no other solution.

Gilles.

View solution in original post

2 Replies 2

Gilles Dufour
Cisco Employee
Cisco Employee

Geroge,

your understanding is absolutely correct.

We need to know the site in order to decrypt te traffic because the certificate is associated to a domain name.

But without decrypting, we can't see the domain name.

So, the only way to know the domain without decrypting is to allocate a single ip to each domain.

There is no other solution.

Gilles.

Hi Gilles,

Thank you for your always prompt answer. You are always very helpful and accurate.

I guess maybe we could have that working only if using wild card certificates.

Anyways, another 5 for you!!!

./G

Review Cisco Networking for a $25 gift card