Solved: Load Balance https based on url

John Carrascal · ‎11-16-2011

I am trying to configure ACE 4710 to load balance base on the URL, If it matches the specific URL ( /456/ ), the traffic will be sent to server farm 456 else the traffic will be sent to server farm 123.

I attached an image of the topology.

Ace Config:

rserver host SRV01_123

ip address 192.168.1.101

inservice

rserver host SRV02_123

ip address 192.168.1.102

inservice

rserver host SRV01_456

ip address 192.168.1.111

inservice

serverfarm host farm_123

rserver SRV01_123

inservice

rserver SRV02_123

inservice

serverfarm host farm_456

rserver SRV01_456

inservice

class-map match-all VIP_Application

2 match virtual-address 192.168.1.10 tcp eq https

class-map type http loadbalance match-all L7_server_456

2 match http url /456/

policy-map type loadbalance http first-match LB_Application

class L7_server_456

serverfarm farm_456

class class-default

serverfarm farm_123

policy-map multi-match ServerGroup1_PM

class VIP_Application

loadbalance vip inservice

loadbalance policy LB_Application

loadbalance vip icmp-reply

interface vlan 70

bridge-group 1

no shutdown

interface vlan 700

bridge-group 1

service-policy input ServerGroup1_PM

no shutdown

Thanks

pablo.nxh · ‎11-16-2011

Hi John,

If you want to do the offload in the ACE also called SSL termination, it is a two step process:

1- You need to upload your certificate and key to the ACE using FTP or one of the available methods.

2- Create the the SSL proxy service where you add these two files and finally add this service under the policy-multimatch for the VIP in question.

You also need to decide whether you want to keep your server listening in the encrypted port (that would be a two way encryption process called End-to-End SSL) or you can change the port to 80 and leave all the decyption process to the ACE (this would be transparent to the client, the site will show up as HTTPS all the time).

Here you can take a look at the SSL termination process (using clear text port in the backend servers).

Oficial Configuration Example

http://www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA4_1_0/configuration/ssl/guide/terminat.html

Cisco Wiki Example

http://docwiki.cisco.com/wiki/SSL_Termination_on_the_Cisco_Application_Control_Engine_Without_an_Existing_Chained_Certificate_and_Key_in_Routed_Mode_Configuration_Example

HTH

__ __

Pablo

View solution in original post

pablo.nxh · ‎11-16-2011

Hi John,

Unfortunately this can't be done unless you configure the ACE to offload your SSL connections, https information is readable up to layer 4 to the ACE, layer 5 information such as host headers or URL is hidden and can't be matched using L5 policies without decypting the connection within the load balancer.

HTH

__ __

Pablo

John Carrascal · ‎11-16-2011

Hi Pablo,

Thank you very much for your response.

Can you please show me an example with this kind of configuration?

Thank you a lot.

pablo.nxh · ‎11-16-2011

Hi John,

If you want to do the offload in the ACE also called SSL termination, it is a two step process:

1- You need to upload your certificate and key to the ACE using FTP or one of the available methods.

2- Create the the SSL proxy service where you add these two files and finally add this service under the policy-multimatch for the VIP in question.

You also need to decide whether you want to keep your server listening in the encrypted port (that would be a two way encryption process called End-to-End SSL) or you can change the port to 80 and leave all the decyption process to the ACE (this would be transparent to the client, the site will show up as HTTPS all the time).

Here you can take a look at the SSL termination process (using clear text port in the backend servers).

Oficial Configuration Example

http://www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA4_1_0/configuration/ssl/guide/terminat.html

Cisco Wiki Example

http://docwiki.cisco.com/wiki/SSL_Termination_on_the_Cisco_Application_Control_Engine_Without_an_Existing_Chained_Certificate_and_Key_in_Routed_Mode_Configuration_Example

HTH

__ __

Pablo

John Carrascal · ‎11-17-2011

Hi Pablo,

Thank you very much for your responses.

Yours sincerely,

John.