SSL Termination

Unanswered Question
Aug 2nd, 2007


I have 2 web servers that when I access then HTTP everything works fine, but when I activate SSL termination, I get an "application/octet-stream" to download when using firefox.

In IE it would give me 4 little boxe and a P in the corner of the page.

I'm using an ACE blade in a 6509.

Any Idea's



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Gilles Dufour Fri, 08/03/2007 - 00:50

make sure you specify the destination server port to be 80 in your serverfarm as the ACE module will not translate 443 to 80 by itself.


I seem to be having the exact same problem. I originally had a serverfarm that looked like this:

serverfarm host CHCOM_Farm

rserver CHCOM1


rserver CHCOM2


rserver CHCOM3


It was working fine before I added the SSL Termination configuration. I didn't see anything in any examples to have the server farm specify port 80, but after I saw your post I reconfigured my farm to look like this:

serverfarm host CHCOM_Farm

rserver CHCOM1 80


rserver CHCOM2 80


rserver CHCOM3 80


I still get the response in the browser, though.

stephg Thu, 08/16/2007 - 08:40

After calling the TAC, I found out that the ACE does not support url-redirect in the present IOS. So here is the solution to my problem:

my normal server farm

serverfarm NORMAL

serverfarm host normal

rserver server1 80


rserver server2 80


make an rserver to redirect

rserver redirect R2

webhost-redirection https://%h/%p 302


then make a redirect serverfarm

serverfarm redirect REDIRECT

rserver R2


then suppose I have 2 vips 1 for traffic that comes in www that I want redirected to https and one that comes in https

class-map match-all vip10

10 match virtual-address tcp eq www

class-map match-all vip20

10 match virtual-address tcp eq https

I make policy for redirect

policy-map type loadbalance first-match REDIRECT-LOGIC

class class-default

serverfarm REDIRECT

I make policy for loadbalance to reals to handle https

policy-map type loadbalance first-match lb-logic

class class-default

serverfarm NORMAL

Then I have multimatch for my ingress vlan

policy-map multi-match client-vips

class vip10

loadbalance vip inservice

loadbalance policy REDIRECT_LOGIC

class vip20

loadbalance vip inservice

loadbalance policy lb-logic

ssl-proxy server xxxx

Gilles Dufour Thu, 08/16/2007 - 09:41

just one clarification, we do not support 'url rewrite', but we can do redirect.

So, basically, your problem was that the SSL traffic was redirected by the server to HTTP.

The solution you have in place is to catch the HTTP traffic to redirect it to SSL.

The next ACE release : Ace 2.0 should support url rewrite to intercept the server response and rewrite the redirect to HTTP into a redirect to SSL.


Gilles Dufour Thu, 08/16/2007 - 09:38

could you sniff the traffic and send me the result.

It should work with your new serverfarm.


Well, the reply above kind set me in the right direction. I don't need to redirect all my traffic to HTTPS, since the links in the web server will specify HTTPS when needed.

What I did was to set up to different VIPS, one to match port 80 and the other to match port 443. Then I just created different actions for each in the CLIENT-VIPS policy-map. The 443 VIP has an SSL-PROXY action and the 80 VIP doesn't.

Is there a better way to do what I'm trying to accomplish? Is your original suggestion supposed to solve my requirements?

Let us know.


Gilles Dufour Thu, 08/16/2007 - 12:03

you indeed need 2 policies to do ssl termination and http.

But you can reuse the same serverfarm.

All you need is to make sure to specify the service port for each real as the ssl function does not translate port.



So if I understand what you're saying you'd have a serverfarm that looked like this:

serverfarm host CHCOM_443_Farm

rserver CHCOM1 443


rserver CHCOM1 80


rserver CHCOM2 443


rserver CHCOM2 80


rserver CHCOM3 443


rserver CHCOM3 80


If that's the case, and I'm using COOKIE INSERT for sticky, then I run the risk of my users switching servers depending on if they're on port 80 or 443, right?

I need to be sure that my users remain on the same server when they switch from 80 to 443 or vice versa.

Gilles Dufour Mon, 08/20/2007 - 02:05

if you terminate ssl on the ACE module, you only talk HTTP [port 80] to the real server.

So you do not specify the rserver with port 443.

Only with port 80.

But you create 2 separate policy.

One for http.

One for ssl.

In both policy you use the same serverfarm.

For the ssl policy, you just have to also add the ssl server-policy to inform the module to terminate ssl.



This Discussion