cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1267
Views
0
Helpful
4
Replies
Highlighted
Beginner

Interesting ACE URL Header & Load-balance & SSL on 2 VIPs

Hi There

I have an interesting situation that I am trying to solve. I have 4 websites, each one with SSL Off-Loading on the ACE on the outside. All FOUR websites run on a single server on the inside, but each website is using a different port number for differentiation. Also, they are currently only available on TWO IPs on the outside! I know.....it's a mare!

So, RSERVER = SERVER = 192.168.0.1

Each website has SSL Certs on the outside. https://website1.abc.com - https://website4.abc.com

But, DNS is only bound to 2 IPs on the outside, as that is all we have available currently, until we free up more IPs.

OUTSIDE:

website1.abc.com = 172.16.0.1:443

website2.abc.com = 172.16.0.1:443

website3.abc.com = 172.16.0.2:443

website4.abc.com = 172.16.0.2:443

On the server we have:

INSIDE: 192.168.0.1

SERVER:8001 = website1.abc.com

SERVER:8002 = website2.abc.com

SERVER:8003 = website3.abc.com

SERVER:8004 = website4.abc.com

So, in a nutshell what I need to do is:

Terminate SSL for each website, then match the HTTP header, and pass it to the SERVER on the right port. Sounds easy enough.

But, I am struggling like hell. The VIPs (Wirtual IPs on the OUTSIDE are causing me grief) My steps seem to be breaking my ruleset. Individually they all work, but once I tie them to the VIPs on the outside, it seems to stop. The first site in each CM (class-map) match in the PM (Profile-Map) works but the subsequent site just breaks.

I would post my config, but right now I have sooooooooooooo many variations, it looks like a dog's breakfast.

Can anyone give advice on the process flow to follow to get this to work. My issue is arround the VIPs mainly. To be honest, I don't really care about Load-Balancing right now. That will come later when more servers are added to mix. And then we might have to do inbound NAT too to the Server Farm, but that can wait! :-o

I have created a HEADER map for the headers, individual SERVER FARMS for each port on the RSERVER, ACLs matching the VIPs inbound on 443, CLASS-MAPs matching the HEADER and applying to SFARM, POLICY MAPS matching the CMAPs and doing Load-Balancing with SSL-PROXYs for the SSL headers. SERVICE-POLICY tieing it all together on Interface.

But .... things are going hey-wire.

So, steps are:

RSERVER

SFARMs = RSERVER:PORTs

ACLs = VIPs

CMAP = HEADER = URL

LB PMAP = HEADER CMAP & SFARM

PMAP MULITM = ACL CMAP + LB PMAP & SSL-Proxy

SVC-POL = PMAP MULTIM

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Per virtual server (I mean a VIP and an associated port, in your case you have two virtual servers) you can only bind one cert.

This is because SSL decryption is mandatory to decode the payload (HTTP request) to match the Host field (the name of the site, which is embedded in the HTTP header.

Some LB on the market can overcome this by using SNI (Server Name Indication), which is an extension of SSL http://en.wikipedia.org/wiki/Server_Name_Indication

But at this time the ACE doesn't support it.

You have two workaround for this : use wildcard certificates (*.domain.com) or SAN (Subject Alternative names) certificates.

The behaviour you face is normal and expected.

View solution in original post

4 REPLIES 4
Highlighted
Enthusiast

You can bind only 2 certs.

SSL decryption is performed before the L7 classification based on the "host" field.

Highlighted

Hi Surya

Thanks for the prompt reply. I'm not quite sure what you mean when you say it ca only handle 2 certs. Can you elaborate please?

It would appear to me that you can actually only bind one cert to an IP, based on using a VIP address for the server farm as per the CM in the PM. I can hack out the irrelevant bits tomorrow and post what I have done thus far. I have played with multiple lines of code and various ways of trying to do this, but the end result is that it appears once I have the CM set per VIP I can only set one SSL-Proxy, and so only one cert. If I use multiple CMs, as per the MultiMatch policy, it matches the first CM against the VIP and doesn't appear to move on as per the HTTP Header. If any of that makes sense?

regards

Sent from Cisco Technical Support iPad App

Highlighted

Per virtual server (I mean a VIP and an associated port, in your case you have two virtual servers) you can only bind one cert.

This is because SSL decryption is mandatory to decode the payload (HTTP request) to match the Host field (the name of the site, which is embedded in the HTTP header.

Some LB on the market can overcome this by using SNI (Server Name Indication), which is an extension of SSL http://en.wikipedia.org/wiki/Server_Name_Indication

But at this time the ACE doesn't support it.

You have two workaround for this : use wildcard certificates (*.domain.com) or SAN (Subject Alternative names) certificates.

The behaviour you face is normal and expected.

View solution in original post

Highlighted

Ahhh, ok, that makes perfect sense now. That is pretty much what I was seeing, and was hoping to "hack" around it with configs. I have learnt more about how you can configure an ACE in the last week :), with numerous different solutions but nothing that was working because of the SSL-PROXY requirement.

Thanks for your time and explanation. Much appreciated.

Regards