cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2598
Views
4
Helpful
4
Replies

Load Balance https based on url

John Carrascal
Level 1
Level 1

I am trying to configure ACE 4710 to load balance base on the URL, If it matches the specific URL ( /456/ ), the traffic will be sent to server farm 456 else the traffic will be sent to server farm 123.

I attached an image of the topology.

Ace Config:

rserver host SRV01_123

  ip address 192.168.1.101

  inservice

rserver host SRV02_123

  ip address 192.168.1.102

  inservice

rserver host SRV01_456

  ip address 192.168.1.111

  inservice

serverfarm host farm_123

  rserver SRV01_123

    inservice

  rserver SRV02_123

    inservice

serverfarm host farm_456

  rserver SRV01_456

    inservice

class-map match-all VIP_Application

  2 match virtual-address 192.168.1.10 tcp eq https

class-map type http loadbalance match-all L7_server_456

  2 match http url /456/

policy-map type loadbalance http first-match LB_Application

  class L7_server_456

    serverfarm farm_456

  class class-default

    serverfarm farm_123

policy-map multi-match ServerGroup1_PM

  class VIP_Application

    loadbalance vip inservice

    loadbalance policy LB_Application

    loadbalance vip icmp-reply

interface vlan 70

  bridge-group 1

  no shutdown

interface vlan 700

  bridge-group 1

  service-policy input ServerGroup1_PM

  no shutdown

Thanks

1 Accepted Solution

Accepted Solutions

Hi John,

If you want to do the offload in the ACE also called SSL termination, it is a two step process:

1- You need to upload your certificate and key to the ACE using FTP or one of the available methods.

2- Create the the SSL proxy service where you add these two files and finally add this service under the policy-multimatch for the VIP in question.

You also need to decide whether you want to keep your server listening in the encrypted port (that would be a two way encryption process called End-to-End SSL) or you can change the port to 80 and leave all the decyption process to the ACE (this would be transparent to the client, the site will show up as HTTPS all the time).

Here you can take a look at the SSL termination process (using clear text port in the backend servers).

Oficial Configuration Example

http://www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA4_1_0/configuration/ssl/guide/terminat.html

Cisco Wiki Example

http://docwiki.cisco.com/wiki/SSL_Termination_on_the_Cisco_Application_Control_Engine_Without_an_Existing_Chained_Certificate_and_Key_in_Routed_Mode_Configuration_Example

HTH

__ __

Pablo

View solution in original post

4 Replies 4

pablo.nxh
Level 3
Level 3

Hi John,

Unfortunately this can't be done unless you configure the ACE to offload your SSL connections, https information is readable up to layer 4 to the ACE, layer 5 information such as host headers or URL is hidden and can't be matched using L5 policies without decypting the connection within the load balancer.

HTH

__ __

Pablo

Hi Pablo,

  Thank you very much for your response.

Can you please show me an example with this kind of configuration?

Thank you a lot.

Hi John,

If you want to do the offload in the ACE also called SSL termination, it is a two step process:

1- You need to upload your certificate and key to the ACE using FTP or one of the available methods.

2- Create the the SSL proxy service where you add these two files and finally add this service under the policy-multimatch for the VIP in question.

You also need to decide whether you want to keep your server listening in the encrypted port (that would be a two way encryption process called End-to-End SSL) or you can change the port to 80 and leave all the decyption process to the ACE (this would be transparent to the client, the site will show up as HTTPS all the time).

Here you can take a look at the SSL termination process (using clear text port in the backend servers).

Oficial Configuration Example

http://www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA4_1_0/configuration/ssl/guide/terminat.html

Cisco Wiki Example

http://docwiki.cisco.com/wiki/SSL_Termination_on_the_Cisco_Application_Control_Engine_Without_an_Existing_Chained_Certificate_and_Key_in_Routed_Mode_Configuration_Example

HTH

__ __

Pablo

Hi Pablo,

Thank you very much for your responses.

Yours sincerely,

John.

Review Cisco Networking for a $25 gift card