11-03-2010 11:47 AM
We currently have an ACE 4710 device that has a VIP setup for a server farm for our customers. The protocol one must use to access the site is HTTPS. Is there any way to add the ability for HTTP without creating another VIP? If not, can I just create another VIP pointing to the same server farm using HTTP. The ultimate goal here is to be able to access the site using both HTTP and HTTPS, but it doesn't appear that you can select both protocols in the ACE for the VIP. It seems as if it is one OR the other.
Thanks.
Mike
11-03-2010 02:59 PM
If you are terminating SSL on ACE then there is no way to do it with one policy because of ssl-proxy command. However it is possible to use same serverfarms with two VIP like this:
access-list ACL line 10 extended permit ip any any
rserver host TEST
ip address 20.20.2.11
inservice
serverfarm host TEST
rserver TEST
inservice
ssl-proxy service SSL_SERVER
key KEY12.PEM
cert CERT12.PEM
class-map match-any SSL
2 match virtual-address 10.10.2.101 tcp eq https
class-map match-any HTTP
2 match virtual-address 10.10.2.101 tcp eq http
policy-map type loadbalance first-match L7_POL
class class-default
serverfarm TEST
policy-map multi-match L7
class SSL
loadbalance vip inservice
loadbalance policy L7_POL
loadbalance vip icmp-reply
ssl-proxy server SSL_SERVER
class HTTP
loadbalance vip inservice
loadbalance policy L7_POL
loadbalance vip icmp-reply
interface vlan 210
ip address 10.10.2.1 255.255.255.0
service-policy input L7
access-group input ACL
no shutdown
interface vlan 220
ip address 20.20.2.1 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 10.90.15.1
However, if you are not doing SSL termination on ACE and you are just doing L4 load-balancing, you will most likely need to configure SSL stickiness, which again leads to having separate policies because of the sticky serverfarms which need separate loadbalance policy lines.
11-03-2010 03:24 PM
Since I am terminating SSL on the ACE, then the config you provided should point me in the right direction? That will allow me to create a second policy and apply it so that the site will be accessible and load balanced for HTTP and HTTPS?
Thanks,
Mike
11-03-2010 03:47 PM
I am not sure I understand which second policy are you talking about. The config I provided will allow the same website to be reachable via HTTP and HTTPS. No other config is needed.
However, if your website contains HTTP redirect responses, you should also configure SSL URL Rewrite
11-08-2010 01:58 PM
Ivan,
I was referring to the second policy in this part of your config:
class-map match-any SSL
2 match virtual-address 10.10.2.101 tcp eq https
class-map match-any HTTP
2 match virtual-address 10.10.2.101 tcp eq http
I already have a line in the config similar to the one that is pointing to https, but I do not have on pointing to http like the other one. So, I just need to create second class-map and I should be good to go, correct?
Mike
11-11-2010 11:45 AM
Yes, you need the second class-map and you also need to refer to it under "policy-map multi-match". If you haven't spotted it take a closer look at the config example I posted:
policy-map multi-match L7
...
class HTTP
loadbalance vip inservice
loadbalance policy L7_POL
loadbalance vip icmp-reply
11-11-2010 02:52 PM
Ivan,
Thanks for the response. I am putting together my final config for implementation, but I wanted to clarify a couple of things. I currently have a line in my production config that looks like:
class-map match-all XXXX_XXX
2 match virtual--address xx.xx.xx.xx tcp eq https
Would I need to change the "-all" to "-any" as you have stated in your config that you previously posted?
In the following config, could you explain to me what the boldfaced line of config is doing and why is it necessary?
policy-map multi-match L7
...
class HTTP
loadbalance vip inservice
loadbalance policy L7_POL
loadbalance vip icmp-reply
Lastly, in both of the classes listed below, is the L7_POL referring to the same loadbalance policy or do I need to create separate policies for each of those "L7_POL" lines?
policy-map multi-match L7
class HTTP
loadbalance vip inservice
loadbalance policy L7_POL
loadbalance vip icmp-reply
I think once I have these answers, I should be ready to implement my final config. Thanks.
Mike
class SSL
loadbalance vip inservice
loadbalance policy L7_POL
ssl-proxy server xxx.xxx.com
11-12-2010 05:20 PM
There is no difference between match-all and match-any when there is only one match line under the class map, so you don't need to change it.
By default VIP on ACE does not respond to echo requests. The "loadbalance vip icmp-reply" changes this and makes the VIP answer ping. This is not needed unless you want to be able to ping the VIP.
You don't need to create two separate policies unless you want to implement some different L7 rules for HTTP and HTTPS service.
All these things are explained in detail in the ACE config guide, so I recommend you to read at least the Server Load-Balancing Configuration Guide section before continuing with ACE configuration.
04-30-2012 08:20 AM
Hi Ivan,
I have same issue with ACE module. I need to access erp.company.com in both way http and https.
As you mentioned,
"However it is possible to use same serverfarms with two VIP like this"
but if you see the config the VIP address you used is same for http and https i.e. 10.10.2.101
Can you please clarify ???
Regards
Ahmed...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide