ACE SSL Pass

Answered Question
Feb 14th, 2008

Does the ACE allow HTTPS passthrough?

Here's what I've tried to do without success.

rserver host nuxi

description TEST SERVER

ip address 10.10.2.100

probe ping-probe

inservice

serverfarm host https-test

description TEST SERVER FARM

failaction purge

predictor leastconns

probe imap-probe

rserver nuxi 443

inservice

class-map match-all VIP-HTTPS

2 match virtual-address 10.10.1.1 tcp eq 443

policy-map type loadbalance first-match HTTPS-POLICY

class class-default

serverfarm https-test

policy-map multi-match CLIENT-VIPS

class VIP-HTTPS

loadbalance vip inservice

loadbalance policy HTTPS-POLICY

loadbalance vip icmp-reply active

I have this problem too.
0 votes
Correct Answer by Gilles Dufour about 8 years 9 months ago

the problem is this line :

retcode 100 500 check count

Because of that, you need to use the serverfarm only for http as the ace module will interpret all traffic as http in order to detect the retcode.

Create another serverfarm and rule for https or remove the retcode line.

Gilles.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Gilles Dufour Thu, 02/14/2008 - 12:34

yes, ACE allows https to go be loadbalanced without being terminated.

Get a sniffer trace to see what is going on.

Does http work ?

Gilles.

meckel Thu, 02/14/2008 - 14:05

Hi Gilles,

Yes, HTTP works. I had a trace but didn't save it. I thought perhaps it was a bug with the version we are running - 3.0(0)A1(5a).

We reverted everything back to an old LDA and are planning to try with the ACE again soon; this time with SSL termination though.

Since you say it should work, I'll schedule some time to try and make SSL pass through work on our next attempt. And save the trace.

Thanks,

Milo

Gilles Dufour Sun, 02/17/2008 - 04:55

the trace does not match the config you sent.

Can't find the same ip addresses.

In the trace, it is also clear the module is spoofing the HTTPS connection.

Not sure why.

So I would need a 'show tech' to confirm what is happening.

Also get 'show service-policy detail' before and after a connection attempt to see if you hit the right service-policy.

Gilles.

meckel Mon, 02/18/2008 - 07:44

Gilles,

Sorry about that. It's a production context and complex. Here is the revelent portion of the current config. The show tech is attached.

probe http sys-stat

description WEB SERVER PROBE

faildetect 2

passdetect count 1

receive 60

request method get url /manager/html

expect status 401 401

rserver host systemsStatus1-test

description TEST SYSTEMS STATUS WEB SERVER

ip address 134.114.6.149

probe ping-probe

inservice

rserver host systemsStatus2-test

description TEST SYSTEMS STATUS WEB SERVER

ip address 134.114.6.150

probe ping-probe

inservice

serverfarm host systemsStatus-test

description TEST SYSTEMS STATUS WEB SERVER FARM

failaction purge

predictor leastconns

probe sys-stat

retcode 100 500 check count

rserver systemsStatus1-test

inservice

rserver systemsStatus2-test

inservice

sticky ip-netmask 255.255.255.255 address source GROUP_2_TEST

timeout 480

replicate sticky

serverfarm systemsStatus-test

policy-map multi-match CLIENT-VIPS

class-map match-all VIP-SYSTAT-HTTP-TEST

description system status test web server

2 match virtual-address 134.114.6.148 any

!==========================

ace-its-a/PSOFT# sh service-policy CLIENT-VIPS detail | be VIP-SYSTAT-HTTP-TEST

class: VIP-SYSTAT-HTTP-TEST

VIP Address: Port:

134.114.6.148 any

loadbalance:

L7 loadbalance policy: SYSTAT-HTTP-POLICY-TEST

VIP Route Metric : 77

VIP Route Advertise : DISABLED

VIP ICMP Reply : ENABLED-WHEN-ACTIVE

VIP State: INSERVICE

curr conns : 0 , hit count : 395

dropped conns : 379

client pkt count : 1325 , client byte count: 109445

server pkt count : 1357 , server byte count: 781489

L7 Loadbalance policy : SYSTAT-HTTP-POLICY-TEST

class/match : class-default

LB action :

-

hit count : 392

dropped conns : 376

Correct Answer
Gilles Dufour Mon, 02/18/2008 - 08:38

the problem is this line :

retcode 100 500 check count

Because of that, you need to use the serverfarm only for http as the ace module will interpret all traffic as http in order to detect the retcode.

Create another serverfarm and rule for https or remove the retcode line.

Gilles.

meckel Mon, 02/18/2008 - 08:59

Gilles,

No Sh--!! Yup, removing that line from the serverfarm fixed it. That's a nice way to start a Monday!!

Thank you,

Milo

Actions

This Discussion