Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1304
Views
10
Helpful
5
Replies

Use ACE with multiple SSL and Vhosts

siteenligne
Level 1
Level 1

‎08-21-2012 05:14 AM

Hello,

I try to use multiple certificates on a Cisco loadbalancer Ace. After some research, I think the best solution is to configure an IP with SSL (as default on apache) and therefore to manage the configuration of the loadbalancer.

Here is my current configuration of ACE:

show run
Generating configuration....
ssh maxsessions 1
access-list ANY line 8 extended permit icmp any any
access-list ANY line 16 extended permit ip any any
probe tcp PROBE_TCP
  interval 30
rserver host SERVER1
  ip address 172.16.0.1
  conn-limit max 50000 min 40000
  inservice
rserver host SERVER2
  ip address 172.16.0.2
  conn-limit max 50000 min 40000
  inservice
serverfarm host FARM_WEB
  predictor leastconns
  probe PROBE_TCP
  rserver SERVER1
    inservice
  rserver SERVER2
    inservice
parameter-map type http HTTP_PARAMETER_MAP
  persistence-rebalance
class-map match-any HTTP
  2 match virtual-address 37.59.XX.XX tcp eq www
class-map type management match-all PUBLIC_REMOTE
  2 match protocol ssh source-address 193.252.XX.XX 255.255.255.255
class-map type management match-all REMOTE_ACCESS
  2 match protocol ssh any
class-map match-any SSL
  2 match virtual-address 37.59.XX.XX tcp eq https
policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
  class REMOTE_ACCESS
    permit
policy-map type management first-match REMOTE_PUBLIC_MGMT
  class PUBLIC_REMOTE
    permit
policy-map type loadbalance http first-match WEB_L7_POLICY
  class class-default
    serverfarm FARM_WEB
    insert-http x-forward header-value "%is"
policy-map multi-match WEB-to-vIPs
  class HTTP
    loadbalance vip inservice
    loadbalance policy WEB_L7_POLICY
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 2890
    appl-parameter http advanced-options HTTP_PARAMETER_MAP
  class SSL
    loadbalance vip inservice
    loadbalance policy WEB_L7_POLICY
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 2890
    appl-parameter http advanced-options HTTP_PARAMETER_MAP
interface vlan 1277
  ip address 37.59.XX.XX 255.255.255.240
  alias 37.59.XX.XX 255.255.255.240
  peer ip address 37.59.XX.XX 255.255.255.240
  access-group input ANY
  service-policy input REMOTE_PUBLIC_MGMT
  service-policy input WEB-to-vIPs
  no shutdown
interface vlan 2890
  ip address 172.31.255.250 255.240.0.0
  alias 172.31.255.249 255.240.0.0
  peer ip address 172.31.255.251 255.240.0.0
  nat-pool 1 172.31.255.248 172.31.255.248 netmask 255.240.0.0 pat
  service-policy input REMOTE_MGMT_ALLOW_POLICY
  no shutdown
ft track interface VLAN1277
  track-interface vlan 1277
  peer track-interface vlan 1277
  priority 50
  peer priority 5
ip route 0.0.0.0 0.0.0.0 37.59.XX.XX
username XXXXX password 5 XXXXX role Admin domain default-domain

I thought to add two servers, and SERVER101 SERVER102 with IP addresses 172.16.0.101 and .102, and thus add a new external IP.

I have not looked too to change the configuration, but I do not think it poses problems.

My certificates are configured directly on my servers (nginx and apache2) not the loadbalancer.

Do you think this is the best solution?

thank you very much

Labels:
0 Helpful
5 Replies 5

sivaksiv
Cisco Employee
Cisco Employee

‎08-21-2012 05:32 AM

Hi,

It all depends on your requirement whether you want to offload SSL on ACE or on server.

Offloading on ACE will remove the burden of SSL  encryption/decryption from the real servers’ CPUs, increasing the amount  of traffic they are able to handle in most situations.

If you want to do it on ACE here is the document.

  http://docwiki.cisco.com/wiki/SSL_Termination_on_the_Cisco_Application_Control_Engine_Without_an_Existing_Chained_Certificate_and_Key_in_Routed_Mode_Configuration_Example

Regards,

Siva

0 Helpful

siteenligne
Level 1
Level 1
In response to sivaksiv

‎08-21-2012 06:46 AM

Thank you for this answer. I'm looking to set up the certificates directly to the loadbalancer.

0 Helpful

siteenligne
Level 1
Level 1
In response to siteenligne

‎08-22-2012 01:15 AM

Hi and Thank for your help.

I have configure the first SSL and it's OK.

For the second, i just can had class in my policy map like that :

policy-map multi-match PROXYSSL1


  class SSL1


    loadbalance vip inservice


    loadbalance policy WEB_L7_POLICY


    loadbalance vip icmp-reply active


    nat dynamic 1 vlan 2890


    appl-parameter http advanced-options HTTP_PARAMETER_MAP


    ssl-proxy server proxy1
  class SSL2


    loadbalance vip inservice


    loadbalance policy WEB_L7_POLICY


    loadbalance vip icmp-reply active


    nat dynamic 1 vlan 2890


    appl-parameter http advanced-options HTTP_PARAMETER_MAP


    ssl-proxy server proxy2

?

Just another question, can i redirect the SSL trafic to port 80 after LB ? (i can configure apache / nginx to listen 80 and 443 without SSL but i just answer )

Thanks !

0 Helpful

sivaksiv
Cisco Employee
Cisco Employee
In response to siteenligne

‎08-22-2012 01:19 AM

Hi,

Yes that should be fine. To reditrect traffic on a different server port specify the port under rserver below.

serverfarm host FARM_WEB
  predictor leastconns
  probe PROBE_TCP
  rserver SERVER1 80
    inservice
  rserver SERVER2 80
    inservice

Regards,

Siva

Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card