Re: HTTP and HTTPS on ACE 4710

Mike McWethy · ‎11-03-2010

We currently have an ACE 4710 device that has a VIP setup for a server farm for our customers. The protocol one must use to access the site is HTTPS. Is there any way to add the ability for HTTP without creating another VIP? If not, can I just create another VIP pointing to the same server farm using HTTP. The ultimate goal here is to be able to access the site using both HTTP and HTTPS, but it doesn't appear that you can select both protocols in the ACE for the VIP. It seems as if it is one OR the other.

Thanks.

Mike

Ivan Kovacevic · ‎11-03-2010

If you are terminating SSL on ACE then there is no way to do it with one policy because of ssl-proxy command. However it is possible to use same serverfarms with two VIP like this:

access-list ACL line 10 extended permit ip any any

rserver host TEST

ip address 20.20.2.11

inservice

serverfarm host TEST

rserver TEST

inservice

ssl-proxy service SSL_SERVER

key KEY12.PEM

cert CERT12.PEM

class-map match-any SSL

2 match virtual-address 10.10.2.101 tcp eq https

class-map match-any HTTP

2 match virtual-address 10.10.2.101 tcp eq http

policy-map type loadbalance first-match L7_POL

class class-default

serverfarm TEST

policy-map multi-match L7

class SSL

loadbalance vip inservice

loadbalance policy L7_POL

loadbalance vip icmp-reply

ssl-proxy server SSL_SERVER

class HTTP

loadbalance vip inservice

loadbalance policy L7_POL

loadbalance vip icmp-reply

interface vlan 210

ip address 10.10.2.1 255.255.255.0

service-policy input L7

access-group input ACL

no shutdown

interface vlan 220

ip address 20.20.2.1 255.255.255.0

no shutdown

ip route 0.0.0.0 0.0.0.0 10.90.15.1

However, if you are not doing SSL termination on ACE and you are just doing L4 load-balancing, you will most likely need to configure SSL stickiness, which again leads to having separate policies because of the sticky serverfarms which need separate loadbalance policy lines.

Mike McWethy · ‎11-03-2010

Since I am terminating SSL on the ACE, then the config you provided should point me in the right direction? That will allow me to create a second policy and apply it so that the site will be accessible and load balanced for HTTP and HTTPS?

Thanks,
Mike

Ivan Kovacevic · ‎11-03-2010

I am not sure I understand which second policy are you talking about. The config I provided will allow the same website to be reachable via HTTP and HTTPS. No other config is needed.

However, if your website contains HTTP redirect responses, you should also configure SSL URL Rewrite

Mike McWethy · ‎11-08-2010

Ivan,

I was referring to the second policy in this part of your config:

class-map match-any SSL

2 match virtual-address 10.10.2.101 tcp eq https

class-map match-any HTTP

2 match virtual-address 10.10.2.101 tcp eq http

I already have a line in the config similar to the one that is pointing to https, but I do not have on pointing to http like the other one. So, I just need to create second class-map and I should be good to go, correct?

Mike

Ivan Kovacevic · ‎11-11-2010

Yes, you need the second class-map and you also need to refer to it under "policy-map multi-match". If you haven't spotted it take a closer look at the config example I posted:

policy-map multi-match L7

...

class HTTP

loadbalance vip inservice

loadbalance policy L7_POL

loadbalance vip icmp-reply

Mike McWethy · ‎11-11-2010

Ivan,

Thanks for the response. I am putting together my final config for implementation, but I wanted to clarify a couple of things. I currently have a line in my production config that looks like:

class-map match-all XXXX_XXX

2 match virtual--address xx.xx.xx.xx tcp eq https

Would I need to change the "-all" to "-any" as you have stated in your config that you previously posted?

In the following config, could you explain to me what the boldfaced line of config is doing and why is it necessary?

policy-map multi-match L7

...

class HTTP

loadbalance vip inservice

loadbalance policy L7_POL

loadbalance vip icmp-reply

Lastly, in both of the classes listed below, is the L7_POL referring to the same loadbalance policy or do I need to create separate policies for each of those "L7_POL" lines?

policy-map multi-match L7

class HTTP

loadbalance vip inservice

loadbalance policy L7_POL

loadbalance vip icmp-reply

I think once I have these answers, I should be ready to implement my final config. Thanks.

Mike

class SSL

loadbalance vip inservice

loadbalance policy L7_POL

ssl-proxy server xxx.xxx.com

Ivan Kovacevic · ‎11-12-2010

There is no difference between match-all and match-any when there is only one match line under the class map, so you don't need to change it.

By default VIP on ACE does not respond to echo requests. The "loadbalance vip icmp-reply" changes this and makes the VIP answer ping. This is not needed unless you want to be able to ping the VIP.

You don't need to create two separate policies unless you want to implement some different L7 rules for HTTP and HTTPS service.

All these things are explained in detail in the ACE config guide, so I recommend you to read at least the Server Load-Balancing Configuration Guide section before continuing with ACE configuration.

ahmed.gadi · ‎04-30-2012

Hi Ivan,

I have same issue with ACE module. I need to access erp.company.com in both way http and https.

As you mentioned,

"However it is possible to use same serverfarms with two VIP like this"

but if you see the config the VIP address you used is same for http and https i.e. 10.10.2.101

Can you please clarify ???

Regards

Ahmed...