08-02-2007 09:12 AM
Hi,
I have 2 web servers that when I access then HTTP everything works fine, but when I activate SSL termination, I get an "application/octet-stream" to download when using firefox.
In IE it would give me 4 little boxe and a P in the corner of the page.
I'm using an ACE blade in a 6509.
Any Idea's
Regards
Stephane
08-03-2007 12:50 AM
make sure you specify the destination server port to be 80 in your serverfarm as the ACE module will not translate 443 to 80 by itself.
Gilles.
08-16-2007 08:18 AM
I seem to be having the exact same problem. I originally had a serverfarm that looked like this:
serverfarm host CHCOM_Farm
rserver CHCOM1
inservice
rserver CHCOM2
inservice
rserver CHCOM3
inservice
It was working fine before I added the SSL Termination configuration. I didn't see anything in any examples to have the server farm specify port 80, but after I saw your post I reconfigured my farm to look like this:
serverfarm host CHCOM_Farm
rserver CHCOM1 80
inservice
rserver CHCOM2 80
inservice
rserver CHCOM3 80
inservice
I still get the response in the browser, though.
08-16-2007 08:40 AM
After calling the TAC, I found out that the ACE does not support url-redirect in the present IOS. So here is the solution to my problem:
my normal server farm
serverfarm NORMAL
serverfarm host normal
rserver server1 80
inservice
rserver server2 80
inservice
make an rserver to redirect
rserver redirect R2
webhost-redirection https://%h/%p 302
inservice
then make a redirect serverfarm
serverfarm redirect REDIRECT
rserver R2
inservice
then suppose I have 2 vips 1 for traffic that comes in www that I want redirected to https and one that comes in https
class-map match-all vip10
10 match virtual-address 10.10.10.1 tcp eq www
class-map match-all vip20
10 match virtual-address 10.10.10.1 tcp eq https
I make policy for redirect
policy-map type loadbalance first-match REDIRECT-LOGIC
class class-default
serverfarm REDIRECT
I make policy for loadbalance to reals to handle https
policy-map type loadbalance first-match lb-logic
class class-default
serverfarm NORMAL
Then I have multimatch for my ingress vlan
policy-map multi-match client-vips
class vip10
loadbalance vip inservice
loadbalance policy REDIRECT_LOGIC
class vip20
loadbalance vip inservice
loadbalance policy lb-logic
ssl-proxy server xxxx
08-16-2007 09:41 AM
just one clarification, we do not support 'url rewrite', but we can do redirect.
So, basically, your problem was that the SSL traffic was redirected by the server to HTTP.
The solution you have in place is to catch the HTTP traffic to redirect it to SSL.
The next ACE release : Ace 2.0 should support url rewrite to intercept the server response and rewrite the redirect to HTTP into a redirect to SSL.
Gilles.
08-16-2007 09:38 AM
could you sniff the traffic and send me the result.
It should work with your new serverfarm.
Gilles.
08-16-2007 10:27 AM
Well, the reply above kind set me in the right direction. I don't need to redirect all my traffic to HTTPS, since the links in the web server will specify HTTPS when needed.
What I did was to set up to different VIPS, one to match port 80 and the other to match port 443. Then I just created different actions for each in the CLIENT-VIPS policy-map. The 443 VIP has an SSL-PROXY action and the 80 VIP doesn't.
Is there a better way to do what I'm trying to accomplish? Is your original suggestion supposed to solve my requirements?
Let us know.
Thanks!
08-16-2007 12:03 PM
you indeed need 2 policies to do ssl termination and http.
But you can reuse the same serverfarm.
All you need is to make sure to specify the service port for each real as the ssl function does not translate port.
Gilles.
08-17-2007 09:30 AM
Gilles,
So if I understand what you're saying you'd have a serverfarm that looked like this:
serverfarm host CHCOM_443_Farm
rserver CHCOM1 443
inservice
rserver CHCOM1 80
inservice
rserver CHCOM2 443
inservice
rserver CHCOM2 80
inservice
rserver CHCOM3 443
inservice
rserver CHCOM3 80
inservice
If that's the case, and I'm using COOKIE INSERT for sticky, then I run the risk of my users switching servers depending on if they're on port 80 or 443, right?
I need to be sure that my users remain on the same server when they switch from 80 to 443 or vice versa.
08-20-2007 02:05 AM
if you terminate ssl on the ACE module, you only talk HTTP [port 80] to the real server.
So you do not specify the rserver with port 443.
Only with port 80.
But you create 2 separate policy.
One for http.
One for ssl.
In both policy you use the same serverfarm.
For the ssl policy, you just have to also add the ssl server-policy to inform the module to terminate ssl.
Gilles.
08-21-2007 05:09 AM
Gilles,
I'm out of town right now and won't be able to try anything on the ACE for a week or so, but wanted to thank you for your response.
I'll give it a shot when I get back into the office.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: