Passing port state through ACE

Answered Question
Jul 7th, 2010
User Badges:

We are currently using the ACE to load balance our front end web servers, and they are performing SSL termination.  So currently the SSL connection terminates on the ACE, and the ACE talks HTTP to the back end server. 


I would like to know if there is a way that the ACE can send information regarding the original port state to the backend web server, so for example someone goes to https://www.mydomain.com and the ACE talks to the web server on http, but tells the web server that the original connection request was an https connection

When using Apache as a webserver there are two ways of doing this.


1. Only 1 site hosted


Forward on the loadbalanced http requests to port 81 so separate from the original http requests by port. In Apache this only works if there is a single site hosted.


serverfarm host http-www.somesite.com-sf
  predictor leastconns
  probe http-www.somesite.com-probe
  rserver Server1
    inservice
  rserver Server2
    inservice


serverfarm host https-www.somesite.com-sf
  predictor leastconns
  probe https-www.somesite.com-probe
  rserver Server1 81
    inservice
  rserver Server2 81
    inservice


2. Multiple virtual hosts on the same webserver.


Due to the way Apache matches virtual hosts with the first listening port/host header you need to ask the ACE module to insert a new HTTP-Header that can be picked up by the web server to tell it that the original request was a HTTPS request.


Example.


serverfarm host https-www.somesite.com-sf
  predictor leastconns
  probe https-www.somesite.com-probe
  rserver Server1 81
    inservice
  rserver Server2 81
    inservice


policy-map type loadbalance first-match https-www.somesite.com-pm
  class class-default
    serverfarm https-www.somesite.com-sf
    insert-http SSL-Notify header-value "1"


Now all requests originating as HTTPS will have an extra HTTP Header called SSL-Notify with a value of 1 which can be picked up by the web server.




Also don't forget to configure SSL-Rewrite to rewrite the location feild of any HTTP 30x redirect messages being passed back to the client.



Hope that helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer

When using Apache as a webserver there are two ways of doing this.


1. Only 1 site hosted


Forward on the loadbalanced http requests to port 81 so separate from the original http requests by port. In Apache this only works if there is a single site hosted.


serverfarm host http-www.somesite.com-sf
  predictor leastconns
  probe http-www.somesite.com-probe
  rserver Server1
    inservice
  rserver Server2
    inservice


serverfarm host https-www.somesite.com-sf
  predictor leastconns
  probe https-www.somesite.com-probe
  rserver Server1 81
    inservice
  rserver Server2 81
    inservice


2. Multiple virtual hosts on the same webserver.


Due to the way Apache matches virtual hosts with the first listening port/host header you need to ask the ACE module to insert a new HTTP-Header that can be picked up by the web server to tell it that the original request was a HTTPS request.


Example.


serverfarm host https-www.somesite.com-sf
  predictor leastconns
  probe https-www.somesite.com-probe
  rserver Server1 81
    inservice
  rserver Server2 81
    inservice


policy-map type loadbalance first-match https-www.somesite.com-pm
  class class-default
    serverfarm https-www.somesite.com-sf
    insert-http SSL-Notify header-value "1"


Now all requests originating as HTTPS will have an extra HTTP Header called SSL-Notify with a value of 1 which can be picked up by the web server.




Also don't forget to configure SSL-Rewrite to rewrite the location feild of any HTTP 30x redirect messages being passed back to the client.



Hope that helps.

Actions

This Discussion