ACE SSL Reverse Proxy for multible URLs

Answered Question
Jan 14th, 2009

Hi,

I am trying to setup an ACE as a reverse proxy (one-arm mode) for HTTPS connections for multiple URLs to multiple serverfarms. From what i know i have two options:

1. Use different VIP for each URL and do

L4 loadbalancing or use a

combination of IP address and port.

2. Use different VIP for each URL, do

SSL offloading and do L7 URL based

loadbalancing.

So with these options i am bind to use different IPs for each site. Is there a way i can use one VIP and then offload SSL and do URL based loadbalancing? From my knowledge we are restricted by the nature of the SSL. The reason is that the SSL protocol is a separate layer which encapsulates the HTTP protocol. So the problem is that the SSL session is a separate transaction that takes place before the HTTP session even starts so there is no visibility of the HTTP header.

Any comments appreciated

George Georgiou

I have this problem too.
0 votes
Correct Answer by Gilles Dufour about 7 years 11 months ago

Geroge,

your understanding is absolutely correct.

We need to know the site in order to decrypt te traffic because the certificate is associated to a domain name.

But without decrypting, we can't see the domain name.

So, the only way to know the domain without decrypting is to allocate a single ip to each domain.

There is no other solution.

Gilles.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Gilles Dufour Wed, 01/14/2009 - 01:15

Geroge,

your understanding is absolutely correct.

We need to know the site in order to decrypt te traffic because the certificate is associated to a domain name.

But without decrypting, we can't see the domain name.

So, the only way to know the domain without decrypting is to allocate a single ip to each domain.

There is no other solution.

Gilles.

g-georgiou Wed, 01/14/2009 - 03:35

Hi Gilles,

Thank you for your always prompt answer. You are always very helpful and accurate.

I guess maybe we could have that working only if using wild card certificates.

Anyways, another 5 for you!!!

./G

Actions

This Discussion