Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACE 4710 - SSL config questions

Currently migrating over from  our CSS to the new ACE and I have a few questions re: SSL certs and VIPS

All of our inbound SSL connections terminate on the CSS and redirect a backend HTTP request to an internal server.

Right now we URL match on the incoming header to determine which server to send it to and we have 2 flavours of inbound headers.

one is an english URL test.english.ca

one is a french URL  test.french.ca

I have wildcard SSL certs *.english.ca and *.french.ca and because of this on the CSS I end up having to use 2 VIPS..one for english and one for french as I cant specify 2 certs for one VIP.

Is there anyway around this on the ace ?

Any help would be appreciated.

Cheers


Dave                  

Everyone's tags (7)
7 REPLIES
New Member

ACE 4710 - SSL config questions

I think this is what you are asking for.  It will terminate ssl, translate to port 80, send url test.english.ca to one serverfarm and test.french.ca to another serverfarm.

class-map type http loadbalance match-all url1

match http url /test.french.ca/.*

class-map type http loadbalance match-all url2

match http url /test.english.ca/.*

class-map match-all EXAMPLE_L4

  2 match virtual-address 17.170.239.252 tcp eq https

serverfarm host Serverfarm1

  rserver Server1 80

   inservice

  rserver Server2 80

   inservice

serverfarm host Serverfarm1

  rserver Server3 80

   inservice

  rserver Server4 80

   inservice

ssl-proxy service SSLWILDCARDCERT

  key key.key

  cert cert.cert

policy-map type loadbalance first-match EXAMPLE_L7

  class url1

    sticky-serverfarm Serverfarm1

  class url2

    sticky-serverfarm Serverfarm2

policy-map multi-match VIPS

  class EXAMPLE_L4

    loadbalance vip inservice

    loadbalance policy EXAMPLE_L7

    loadbalance vip icmp-reply active    

    ssl-proxy server SSLWILDCARDCERT

Silver

ACE 4710 - SSL config questions

I guess he wants to look to the pattern in the Host field of the http header embedded in HTTPS; not into the URL.

Bronze

ACE 4710 - SSL config questions

Hi Dave,

If I understand your question correctly the answer is no.  You can't have two certificates associated to the same VIP address.

The SSL handshake goes first and once the traffic is decrypted the ACE can look at the HTTP headers, at that moment you can use a L7 match to choose where to send the request depending on the URI, Host header, etc.

-------------------------

Cesar R

--------------------- Cesar R ANS Team
Silver

ACE 4710 - SSL config questions

Hello.

Is there any plan to support SNI in the roadmap to overcome this limitation ?

Cisco Employee

ACE 4710 - SSL config questions

Hi Dave,   From the description it appears that you are trying to bind mutiple certs with one vip.   On Ace you can't specify 2 certs for one VIP. You can use different combination of port for the same VIP which will work for you. In real world situation this may not feasible.   The point is how ACE will decide what cert to give to Client. As ACE does not know which website the user is requesting.   Remember SSL handshake happens first and then HTTP request comes into picture. So there is no way for ACE to decide what certificate to give to client. Thats the reason it is always recommended to use two VIP.   In your case since you are using two different wildcard certs. You have to go with two VIP's again or same VIP with different port combinations.  regards, Ajay Kumar

New Member

ACE 4710 - SSL config questions

Thanks everyone for the answers...The CSS has the same limitation and I was hoping that had changed with the ACE

Was trying to pull back a couple of pub IP's....

Thanks again.

Cheers


Dave

Silver

Re: ACE 4710 - SSL config questions

http://en.wikipedia.org/wiki/Server_Name_Indication#How_SNI_fixes_the_problem           

In all cases the browser has to support SNI.

For generic cases : use a wildcard mask if all the sites are hosted under the same domain, or multiple VIPs or ports to host different virtual servers.

935
Views
0
Helpful
7
Replies