cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
710
Views
0
Helpful
10
Replies

SSL Termination

stephg
Level 1
Level 1

Hi,

I have 2 web servers that when I access then HTTP everything works fine, but when I activate SSL termination, I get an "application/octet-stream" to download when using firefox.

In IE it would give me 4 little boxe and a P in the corner of the page.

I'm using an ACE blade in a 6509.

Any Idea's

Regards

Stephane

10 Replies 10

Gilles Dufour
Cisco Employee
Cisco Employee

make sure you specify the destination server port to be 80 in your serverfarm as the ACE module will not translate 443 to 80 by itself.

Gilles.

I seem to be having the exact same problem. I originally had a serverfarm that looked like this:

serverfarm host CHCOM_Farm

rserver CHCOM1

inservice

rserver CHCOM2

inservice

rserver CHCOM3

inservice

It was working fine before I added the SSL Termination configuration. I didn't see anything in any examples to have the server farm specify port 80, but after I saw your post I reconfigured my farm to look like this:

serverfarm host CHCOM_Farm

rserver CHCOM1 80

inservice

rserver CHCOM2 80

inservice

rserver CHCOM3 80

inservice

I still get the response in the browser, though.

After calling the TAC, I found out that the ACE does not support url-redirect in the present IOS. So here is the solution to my problem:

my normal server farm

serverfarm NORMAL

serverfarm host normal

rserver server1 80

inservice

rserver server2 80

inservice

make an rserver to redirect

rserver redirect R2

webhost-redirection https://%h/%p 302

inservice

then make a redirect serverfarm

serverfarm redirect REDIRECT

rserver R2

inservice

then suppose I have 2 vips 1 for traffic that comes in www that I want redirected to https and one that comes in https

class-map match-all vip10

10 match virtual-address 10.10.10.1 tcp eq www

class-map match-all vip20

10 match virtual-address 10.10.10.1 tcp eq https

I make policy for redirect

policy-map type loadbalance first-match REDIRECT-LOGIC

class class-default

serverfarm REDIRECT

I make policy for loadbalance to reals to handle https

policy-map type loadbalance first-match lb-logic

class class-default

serverfarm NORMAL

Then I have multimatch for my ingress vlan

policy-map multi-match client-vips

class vip10

loadbalance vip inservice

loadbalance policy REDIRECT_LOGIC

class vip20

loadbalance vip inservice

loadbalance policy lb-logic

ssl-proxy server xxxx

just one clarification, we do not support 'url rewrite', but we can do redirect.

So, basically, your problem was that the SSL traffic was redirected by the server to HTTP.

The solution you have in place is to catch the HTTP traffic to redirect it to SSL.

The next ACE release : Ace 2.0 should support url rewrite to intercept the server response and rewrite the redirect to HTTP into a redirect to SSL.

Gilles.

could you sniff the traffic and send me the result.

It should work with your new serverfarm.

Gilles.

Well, the reply above kind set me in the right direction. I don't need to redirect all my traffic to HTTPS, since the links in the web server will specify HTTPS when needed.

What I did was to set up to different VIPS, one to match port 80 and the other to match port 443. Then I just created different actions for each in the CLIENT-VIPS policy-map. The 443 VIP has an SSL-PROXY action and the 80 VIP doesn't.

Is there a better way to do what I'm trying to accomplish? Is your original suggestion supposed to solve my requirements?

Let us know.

Thanks!

you indeed need 2 policies to do ssl termination and http.

But you can reuse the same serverfarm.

All you need is to make sure to specify the service port for each real as the ssl function does not translate port.

Gilles.

Gilles,

So if I understand what you're saying you'd have a serverfarm that looked like this:

serverfarm host CHCOM_443_Farm

rserver CHCOM1 443

inservice

rserver CHCOM1 80

inservice

rserver CHCOM2 443

inservice

rserver CHCOM2 80

inservice

rserver CHCOM3 443

inservice

rserver CHCOM3 80

inservice

If that's the case, and I'm using COOKIE INSERT for sticky, then I run the risk of my users switching servers depending on if they're on port 80 or 443, right?

I need to be sure that my users remain on the same server when they switch from 80 to 443 or vice versa.

if you terminate ssl on the ACE module, you only talk HTTP [port 80] to the real server.

So you do not specify the rserver with port 443.

Only with port 80.

But you create 2 separate policy.

One for http.

One for ssl.

In both policy you use the same serverfarm.

For the ssl policy, you just have to also add the ssl server-policy to inform the module to terminate ssl.

Gilles.

Gilles,

I'm out of town right now and won't be able to try anything on the ACE for a week or so, but wanted to thank you for your response.

I'll give it a shot when I get back into the office.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: