In Cisco ACE configuration Real servers are dedicated physical servers that you typically configure in groups called server farms. Server farms are groups of networked real servers that contain the same content and that typically reside in the same physical location in a data center. Web sites often comprise groups of servers configured in a server farm. Load-balancing software distributes client requests for content or services among the real servers based on the configured policy and traffic classification, server availability and load, and other factors. This document describes a scenario where ACE is used to redirect traffic from HTTP connection to HTTPS connection using SSL termination.
SSL termination occurs when the ACE, acting as an SSL proxy server, terminates an SSL connection from a client and then establishes a TCP connection to an HTTP server. When the ACE terminates the SSL connection, it decrypts the ciphertext from the client and transmits the data as clear text to an HTTP server. In order for the Cisco ACE to be able to terminate SSL sessions, it will need to be configured with both an SSL certificate and a corresponding SSL key. SSL files (both certificate and key) can either be generated using a tool such as OpenSSL or requested from a certificate authority. The SSL termination configuration begins like the basic Layer 4 load-balancing configuration, by defining a VIP and corresponding server farm and rservers. Although the VIP can be configured with a port of “any,” the ACE will do a TCP reset on any non-SSL connections. To prevent this, it is recommended that you bind the VIP to a port.
In this example clients that connect to the VIP on port 80 (HTTP) will be redirected to the same FQDN and path using port 443 (HTTPS). Clients will then open an HTTPS session to the ACE where the SSL session will be terminated and load balanced to the real servers.
You can use redirect rserver to redirect HTTP connections to HTTPS. The HTTP-to-HTTPS redirect in this example is a 301 redirect (permanent). The 301 can be either removed or changed to 302 to revert to the default of a temporary redirect.
class-map match-all HTTP-VIP 2 match virtual-address 172.21.162.178 tcp eq http class-map match-all HTTPS-VIP 2 match virtual-address 172.21.162.178 tcp eq https
policy-map type loadbalance first-match REDIRECT-PM class class-default serverfarm REDIRECT-SERVERFARM
policy-map type loadbalance first-match LOAD-BALANCE-PM class class-default serverfarm REAL-SERVERS
policy-map multi-match WEB-TRAFFIC class HTTP-VIP loadbalance vip inservice loadbalance policy REDIRECT-PM loadbalance vip icmp-reply class HTTPS-VIP loadbalance vip inservice loadbalance policy LOAD-BALANCE-PM loadbalance vip icmp-reply active ssl-proxy server SSL_SERVICE
HTTPS to HTTPS Redirection
In case of HTTPS, to do the redirection, ACE should first be able to look into the HTTP header and that is possible by doing ssl termination and then loadbalancing the request to redirect serverfarm. The URL/URI rewrite feature was introduced in A5 train. The HTTP URL rewrite feature enables the ACE to rewrite URI/URL pathnames in HTTP requests. You can rewrite the URL value in an HTTP request from a client using the url rewrite command in action-list modify configuration mode.
Hi, We are trying to get a Nexus port (which is a span destination for Rx) to be up and transmit even if Rx is not connected in it. In other cisco platforms you could achieve this by using the no keepalive command but seems to be taken out in th...
Hello all,Back in August Cisco had given notice that the 5.2 version had been added to the list of long-lived releases, and the 3.2 branch had been removed from that list.https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/recommended-re...
Morning All, I hoping someone will be able to help with an issue im having with an EEM Applet not triggering, Nexus 5k version 7.3(5)N1(1).The script will simply reactivate an interface when in error-disabled state. event manager applet Error-Di...
Hi Everyone, Below is an error message that i detected on the ACI fabric and was not very descriptive to investigate on which EPG's are in the freeze state.I had a look on the internet and could not find much information, besides a 'show command' to ...