cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
26469
Views
14
Helpful
10
Replies

Insert https x-forwarded-for

Haiver Bermon
Level 1
Level 1

Hello all,

I have an ACE 4700 and It is balancing a web aplication using tcp ports 80 (http) and 443 (https). The configuration of ACE is in One-Arm, it means that the ACE does a NAT to client IP source address.

For requeriment legal the web aplication must to show the client IP source address in the web site, but with configurationin One-Arm only shows the IP address ACE.

Whit the next configuration I can insert into the http packet the client IP source address

!

policy-map type loadbalance first-match L7_LB_POLICY_SURA.COM.CO

  class class-default

    serverfarm sura.com.co

   insert-http X-Forwarded-For header-value "%is"

!

but that don´t work with HTTPS (443)

How do I do in HTTPS?

If I buy this licenses, Can I do this?

ACE-AP-SSL-05K-K9         

ACE-AP-SSL-07K-K9         

ACE-AP-SSL-100-K9         

ACE-AP-SSL-UP1-K9         

ACE-AP-SSLUP-5K-K9        

Thanks.

Haiver Bermon

3 Accepted Solutions

Accepted Solutions

jason.espino
Level 1
Level 1

Hello Haiver,

The X-Forwarded-For option appends the client IP within the HTTP header of the packet.  HTTPS will not work if you are not performing SSL acceleration as the inbound HTTPS packets are encrypted. You will need one of the SSL licenses on the ACE to perform SSL acceleration and have the load balancer insert the X-Forwarded-For value within the decrypted HTTPS traffic.

Regards,

Jason

View solution in original post

Hello Haiver,

Any of the following licenses should work:

ACE-AP-SSL-05K-K9 ---- SSL 5,000 TPS License

ACE-AP-SSL-7K-K9 ---- SSL 7,500 TPS License

You will not require an "UP" SSL license as you are not upgrading from an existing license.

Regards,

Jason

View solution in original post

The ace that you have should have some SSL tps from the base license. you can check here based on your model that you purchased and then what is installed.

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_x/release/note/RACEA3X.html#wp248237

View solution in original post

10 Replies 10

jason.espino
Level 1
Level 1

Hello Haiver,

The X-Forwarded-For option appends the client IP within the HTTP header of the packet.  HTTPS will not work if you are not performing SSL acceleration as the inbound HTTPS packets are encrypted. You will need one of the SSL licenses on the ACE to perform SSL acceleration and have the load balancer insert the X-Forwarded-For value within the decrypted HTTPS traffic.

Regards,

Jason

Thanks very much Jason, do you know which SSL licenses I have to use?

Hello Haiver,

Any of the following licenses should work:

ACE-AP-SSL-05K-K9 ---- SSL 5,000 TPS License

ACE-AP-SSL-7K-K9 ---- SSL 7,500 TPS License

You will not require an "UP" SSL license as you are not upgrading from an existing license.

Regards,

Jason

The ace that you have should have some SSL tps from the base license. you can check here based on your model that you purchased and then what is installed.

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_x/release/note/RACEA3X.html#wp248237

Hello Eric, Jason, thanks.

I checked the url and my ACE has 100 SSL TPS by default. Do You know how configure a policy to do this? I want to probe in a LAB context, if it work I'll buy the license to 5000 TPS

Hello Jason, thanks

I checked the url and my ACE has 100 SSL TPS by default. Do You know how configure a policy to do this? I want to probe in a LAB context, if it work I'll buy the license to 5000 TPS

Hi,

you don't need to buy any license.

By default the ACE can do SSL Offload (1000 Transactions per Second). This means that the HTTS session is terminated at the ACE (and no longer at the server).

Take a look at following example on how to configure ssl offload:

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c3045.shtml

HTH,
Dario

Hello, everybody, thanks for help.

I probed a configuration in a context LAB and It works. I used the examples that I found in this url, http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Configuration_Examples_--_SSL_Configuration_Examples

I have a final question. How do this configuration impact the ACE CPU?. Today the ACE has 2000 connections and the CPU level is 2%

akhil.abrol
Level 1
Level 1

I have somewhat same scenario.

I offloaded the SSL on ACE to insert client ip in http. Then again encrypted the http which is getting offloaded on server. But it is not working. Is this a wrong approach?

Hi Akhil

It should work. There is no limitation that this traffic can't be  encrypted again. So if you decrypted and then inserted header properly  it should work.

If your config looks ok - the best way to  troubleshoot just to perform capturing and then decrypt it with private  key of the server.

I guess it'd be better if you open a new topic for your issue just not to continue some old closed topics.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: