Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2141
Views
4
Helpful
4
Replies

Load Balance https based on url

Go to solution
John Carrascal
Beginner
Beginner

‎11-16-2011 11:58 AM

I am trying to configure ACE 4710 to load balance base on the URL, If it matches the specific URL ( /456/ ), the traffic will be sent to server farm 456 else the traffic will be sent to server farm 123.

I attached an image of the topology.

Ace Config:

rserver host SRV01_123

  ip address 192.168.1.101

  inservice

rserver host SRV02_123

  ip address 192.168.1.102

  inservice

rserver host SRV01_456

  ip address 192.168.1.111

  inservice

serverfarm host farm_123

  rserver SRV01_123

    inservice

  rserver SRV02_123

    inservice

serverfarm host farm_456

  rserver SRV01_456

    inservice

class-map match-all VIP_Application

  2 match virtual-address 192.168.1.10 tcp eq https

class-map type http loadbalance match-all L7_server_456

  2 match http url /456/

policy-map type loadbalance http first-match LB_Application

  class L7_server_456

    serverfarm farm_456

  class class-default

    serverfarm farm_123

policy-map multi-match ServerGroup1_PM

  class VIP_Application

    loadbalance vip inservice

    loadbalance policy LB_Application

    loadbalance vip icmp-reply

interface vlan 70

  bridge-group 1

  no shutdown

interface vlan 700

  bridge-group 1

  service-policy input ServerGroup1_PM

  no shutdown

Thanks

Labels:
Preview file
92 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
pablo.nxh
Participant
Participant
In response to John Carrascal

‎11-16-2011 02:21 PM

Hi John,

If you want to do the offload in the ACE also called SSL termination, it is a two step process:

1- You need to upload your certificate and key to the ACE using FTP or one of the available methods.

2- Create the the SSL proxy service where you add these two files and finally add this service under the policy-multimatch for the VIP in question.

You also need to decide whether you want to keep your server listening in the encrypted port (that would be a two way encryption process called End-to-End SSL) or you can change the port to 80 and leave all the decyption process to the ACE (this would be transparent to the client, the site will show up as HTTPS all the time).

Here you can take a look at the SSL termination process (using clear text port in the backend servers).

Oficial Configuration Example

http://www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA4_1_0/configuration/ssl/guide/terminat.html

Cisco Wiki Example

http://docwiki.cisco.com/wiki/SSL_Termination_on_the_Cisco_Application_Control_Engine_Without_an_Existing_Chained_Certificate_and_Key_in_Routed_Mode_Configuration_Example

HTH

__ __

Pablo

View solution in original post

0 Helpful
4 Replies 4

Go to solution
pablo.nxh
Participant
Participant

‎11-16-2011 01:00 PM

Hi John,

Unfortunately this can't be done unless you configure the ACE to offload your SSL connections, https information is readable up to layer 4 to the ACE, layer 5 information such as host headers or URL is hidden and can't be matched using L5 policies without decypting the connection within the load balancer.

HTH

__ __

Pablo

Go to solution
John Carrascal
Beginner
Beginner
In response to pablo.nxh

‎11-16-2011 01:43 PM

Hi Pablo,

  Thank you very much for your response.

Can you please show me an example with this kind of configuration?

Thank you a lot.

0 Helpful

Go to solution
pablo.nxh
Participant
Participant
In response to John Carrascal

‎11-16-2011 02:21 PM

Hi John,

If you want to do the offload in the ACE also called SSL termination, it is a two step process:

1- You need to upload your certificate and key to the ACE using FTP or one of the available methods.

2- Create the the SSL proxy service where you add these two files and finally add this service under the policy-multimatch for the VIP in question.

You also need to decide whether you want to keep your server listening in the encrypted port (that would be a two way encryption process called End-to-End SSL) or you can change the port to 80 and leave all the decyption process to the ACE (this would be transparent to the client, the site will show up as HTTPS all the time).

Here you can take a look at the SSL termination process (using clear text port in the backend servers).

Oficial Configuration Example

http://www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA4_1_0/configuration/ssl/guide/terminat.html

Cisco Wiki Example

http://docwiki.cisco.com/wiki/SSL_Termination_on_the_Cisco_Application_Control_Engine_Without_an_Existing_Chained_Certificate_and_Key_in_Routed_Mode_Configuration_Example

HTH

__ __

Pablo

0 Helpful

Go to solution
John Carrascal
Beginner
Beginner
In response to pablo.nxh

‎11-17-2011 10:20 AM

Hi Pablo,

Thank you very much for your responses.

Yours sincerely,

John.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents