Solved: Re: Passing port state through ACE

networker99 · ‎07-07-2010

We are currently using the ACE to load balance our front end web servers, and they are performing SSL termination. So currently the SSL connection terminates on the ACE, and the ACE talks HTTP to the back end server.

I would like to know if there is a way that the ACE can send information regarding the original port state to the backend web server, so for example someone goes to https://www.mydomain.com and the ACE talks to the web server on http, but tells the web server that the original connection request was an https connection

david.stout · ‎07-07-2010

When using Apache as a webserver there are two ways of doing this.

1. Only 1 site hosted

Forward on the loadbalanced http requests to port 81 so separate from the original http requests by port. In Apache this only works if there is a single site hosted.

serverfarm host http-www.somesite.com-sf
predictor leastconns
probe http-www.somesite.com-probe
rserver Server1
inservice
rserver Server2
inservice

serverfarm host https-www.somesite.com-sf
predictor leastconns
probe https-www.somesite.com-probe
rserver Server1 81
inservice
rserver Server2 81
inservice

2. Multiple virtual hosts on the same webserver.

Due to the way Apache matches virtual hosts with the first listening port/host header you need to ask the ACE module to insert a new HTTP-Header that can be picked up by the web server to tell it that the original request was a HTTPS request.

Example.

serverfarm host https-www.somesite.com-sf
predictor leastconns
probe https-www.somesite.com-probe
rserver Server1 81
inservice
rserver Server2 81
inservice

policy-map type loadbalance first-match https-www.somesite.com-pm
class class-default
serverfarm https-www.somesite.com-sf
insert-http SSL-Notify header-value "1"

Now all requests originating as HTTPS will have an extra HTTP Header called SSL-Notify with a value of 1 which can be picked up by the web server.

Also don't forget to configure SSL-Rewrite to rewrite the location feild of any HTTP 30x redirect messages being passed back to the client.

Hope that helps.

View solution in original post

david.stout · ‎07-07-2010

When using Apache as a webserver there are two ways of doing this.

1. Only 1 site hosted

Forward on the loadbalanced http requests to port 81 so separate from the original http requests by port. In Apache this only works if there is a single site hosted.

serverfarm host http-www.somesite.com-sf
predictor leastconns
probe http-www.somesite.com-probe
rserver Server1
inservice
rserver Server2
inservice

serverfarm host https-www.somesite.com-sf
predictor leastconns
probe https-www.somesite.com-probe
rserver Server1 81
inservice
rserver Server2 81
inservice

2. Multiple virtual hosts on the same webserver.

Due to the way Apache matches virtual hosts with the first listening port/host header you need to ask the ACE module to insert a new HTTP-Header that can be picked up by the web server to tell it that the original request was a HTTPS request.

Example.

serverfarm host https-www.somesite.com-sf
predictor leastconns
probe https-www.somesite.com-probe
rserver Server1 81
inservice
rserver Server2 81
inservice

policy-map type loadbalance first-match https-www.somesite.com-pm
class class-default
serverfarm https-www.somesite.com-sf
insert-http SSL-Notify header-value "1"

Now all requests originating as HTTPS will have an extra HTTP Header called SSL-Notify with a value of 1 which can be picked up by the web server.

Also don't forget to configure SSL-Rewrite to rewrite the location feild of any HTTP 30x redirect messages being passed back to the client.

Hope that helps.