07-07-2010 05:27 AM
We are currently using the ACE to load balance our front end web servers, and they are performing SSL termination. So currently the SSL connection terminates on the ACE, and the ACE talks HTTP to the back end server.
I would like to know if there is a way that the ACE can send information regarding the original port state to the backend web server, so for example someone goes to https://www.mydomain.com and the ACE talks to the web server on http, but tells the web server that the original connection request was an https connection
Solved! Go to Solution.
07-07-2010 08:30 AM
When using Apache as a webserver there are two ways of doing this.
1. Only 1 site hosted
Forward on the loadbalanced http requests to port 81 so separate from the original http requests by port. In Apache this only works if there is a single site hosted.
serverfarm host http-www.somesite.com-sf
predictor leastconns
probe http-www.somesite.com-probe
rserver Server1
inservice
rserver Server2
inservice
serverfarm host https-www.somesite.com-sf
predictor leastconns
probe https-www.somesite.com-probe
rserver Server1 81
inservice
rserver Server2 81
inservice
2. Multiple virtual hosts on the same webserver.
Due to the way Apache matches virtual hosts with the first listening port/host header you need to ask the ACE module to insert a new HTTP-Header that can be picked up by the web server to tell it that the original request was a HTTPS request.
Example.
serverfarm host https-www.somesite.com-sf
predictor leastconns
probe https-www.somesite.com-probe
rserver Server1 81
inservice
rserver Server2 81
inservice
policy-map type loadbalance first-match https-www.somesite.com-pm
class class-default
serverfarm https-www.somesite.com-sf
insert-http SSL-Notify header-value "1"
Now all requests originating as HTTPS will have an extra HTTP Header called SSL-Notify with a value of 1 which can be picked up by the web server.
Also don't forget to configure SSL-Rewrite to rewrite the location feild of any HTTP 30x redirect messages being passed back to the client.
Hope that helps.
07-07-2010 08:30 AM
When using Apache as a webserver there are two ways of doing this.
1. Only 1 site hosted
Forward on the loadbalanced http requests to port 81 so separate from the original http requests by port. In Apache this only works if there is a single site hosted.
serverfarm host http-www.somesite.com-sf
predictor leastconns
probe http-www.somesite.com-probe
rserver Server1
inservice
rserver Server2
inservice
serverfarm host https-www.somesite.com-sf
predictor leastconns
probe https-www.somesite.com-probe
rserver Server1 81
inservice
rserver Server2 81
inservice
2. Multiple virtual hosts on the same webserver.
Due to the way Apache matches virtual hosts with the first listening port/host header you need to ask the ACE module to insert a new HTTP-Header that can be picked up by the web server to tell it that the original request was a HTTPS request.
Example.
serverfarm host https-www.somesite.com-sf
predictor leastconns
probe https-www.somesite.com-probe
rserver Server1 81
inservice
rserver Server2 81
inservice
policy-map type loadbalance first-match https-www.somesite.com-pm
class class-default
serverfarm https-www.somesite.com-sf
insert-http SSL-Notify header-value "1"
Now all requests originating as HTTPS will have an extra HTTP Header called SSL-Notify with a value of 1 which can be picked up by the web server.
Also don't forget to configure SSL-Rewrite to rewrite the location feild of any HTTP 30x redirect messages being passed back to the client.
Hope that helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide