Solved: SSL Offload on ACE to SSL Serverfarm

jason.williams · ‎02-01-2012

Here is what I need to do.

I have a web application that requires HTTPS. However, I'm told by the vendor that we need to use a cookie for sticky.

Based on what I've read, for cookie sticky to work with HTTPS, the ACE needs to perform SSL offload.

However, when I enable it, the site behind the load balancer will not load. I'm assuming that the proxied connect between the ACE and the web servers over HTTPS is not working right.

What needs to be done in order to get the ACE to perform SSL offload, but still communicate with the servers over SSL?

Thanks.

Jason

pablo.nxh · ‎02-01-2012

Hi Jason,

It's called End-to-End SSL and if you already have SSL offloading working then you're almost there; setting this up would be a matter of adding a new SSL proxy with the "backend" connection parameters and you're good to go.

Please take a look at any of these examples and let us know if any question pops up:

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA4_1_0/configuration/ssl/guide/endtoend.pdf

http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Configuration_Examples_--_SSL_Configuration_Examples#Examples_of_End-to-End_SSL_Configurations

HTH

__ __

Pablo

View solution in original post

pablo.nxh · ‎02-01-2012

Hi Jason,

It's called End-to-End SSL and if you already have SSL offloading working then you're almost there; setting this up would be a matter of adding a new SSL proxy with the "backend" connection parameters and you're good to go.

Please take a look at any of these examples and let us know if any question pops up:

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA4_1_0/configuration/ssl/guide/endtoend.pdf

http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Configuration_Examples_--_SSL_Configuration_Examples#Examples_of_End-to-End_SSL_Configurations

HTH

__ __

Pablo

jason.williams · ‎02-01-2012

Ok, that seemed to work.

However, and I'll start a new discussion if necessary, I have this config for sticky cookies:

sticky http-cookie WEB_COOKIE WEB

cookie insert browser-expire

timeout 60

replicate sticky

serverfarm WEB

policy-map type loadbalance http first-match PM_LB_WEB

class WEB_CLIENT

sticky-serverfarm WEB

ssl-proxy client SSL_CLIENT

policy-map multi-match CLIENTSIDE_VIPS

class VIP_WEB

loadbalance vip inservice

loadbalance policy PM_LB_WEB

loadbalance vip icmp-reply active

ssl-proxy server SSL_PROXY

How can I tell if the cookie sticky is working? I can open the website (I'm using Firefox), but when I check the cookies, I don't see anything from the ACE?

Thanks.

pablo.nxh · ‎02-01-2012

Hi Jason,

You should seeing something with this command:

ACE-4710A/Admin# show sticky cookie-insert group WEB

Just out of curiosity, is this configured on your admin context or a separate one? If new context, did you assign sticky resources for it?

* Make sure you clear the cache before giving it a shot.

HTH

__ __

Pablo

jason.williams · ‎02-01-2012

It is all working now. In FF, I was able to view cookies along with the certificate, and the ACE cookie is there.

Thanks again!