Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Bronze

ACE: Multiple vHost with SSL in a single context?

Just had a conversation with our application team. They are thinking/planning about moving a construct of approximate 10+ real servers that host around 70+ vhost to a single ACE context.

So far we only configured 1:1 relations in terms of context to ssl proxy.

Questions:

    1. Is it possible to ssl-terminate multiple websites with multiple certificates in one context?
    2. Do you have to distinguish those different vhosts (websites) and the related SSL traffic through separate SSL proxy services?
    3. If you have to use separate ssl proxies, is it sufficient to bind them via different class maps into one single (multi match) policy map?
    4. What would be the best practice approach for this scenario?

Thanks for reading

Roble

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: ACE: Multiple vHost with SSL in a single context?

Hi,

If your server certificates have a common CA chain (or no CA chain) then the limit of 8 doesn't apply. AFAIK except for the general resource limits there are no restrictions on the number of SSL proxy servers per context.

Kind Regards

Cathy

4 REPLIES
Silver

Re: ACE: Multiple vHost with SSL in a single context?

Hi,

1. Yes - but there are limitations. Each context can only support 8 chaingroups. The SSL proxy server references the certificate and the chain group so I suspect you're likely to hit a limit unless most of the websites have a common chain.  Each webserver will need its own Proxy server definition unless you use a wildcard certificate. It really depends on what you're hosting.

2. As above - yes unless you can use a wildcard certificate.

3. Works for me.

4. Not sure - it really depends on the exact requirements for the websites.

HTH

Cathy

Bronze

Re: ACE: Multiple vHost with SSL in a single context?

Hey Cathy,

thanks for the quick answer.

When i am talking about multiple certificates i am not talking about intermediate certificates and therefore chaingroups. So if i stick to single certificate which can be verified by a known root cert the limit shouldn't apply.

Does the limit of 8 chaingroups also to proxy services?

The resource overview on the following link only mentions a total limit of 3800 certs.

http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Module_Troubleshooting_Guide,_Release_A2%28x%29_--_ACE_Module_Resource_Limits

Thanks for reading

Roble

Silver

Re: ACE: Multiple vHost with SSL in a single context?

Hi,

If your server certificates have a common CA chain (or no CA chain) then the limit of 8 doesn't apply. AFAIK except for the general resource limits there are no restrictions on the number of SSL proxy servers per context.

Kind Regards

Cathy

Bronze

Re: ACE: Multiple vHost with SSL in a single context?

Thanks!

470
Views
5
Helpful
4
Replies
CreatePlease login to create content