Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

SSL Termination

Hi,

I have 2 web servers that when I access then HTTP everything works fine, but when I activate SSL termination, I get an "application/octet-stream" to download when using firefox.

In IE it would give me 4 little boxe and a P in the corner of the page.

I'm using an ACE blade in a 6509.

Any Idea's

Regards

Stephane

10 REPLIES
Cisco Employee

Re: SSL Termination

make sure you specify the destination server port to be 80 in your serverfarm as the ACE module will not translate 443 to 80 by itself.

Gilles.

New Member

Re: SSL Termination

I seem to be having the exact same problem. I originally had a serverfarm that looked like this:

serverfarm host CHCOM_Farm

rserver CHCOM1

inservice

rserver CHCOM2

inservice

rserver CHCOM3

inservice

It was working fine before I added the SSL Termination configuration. I didn't see anything in any examples to have the server farm specify port 80, but after I saw your post I reconfigured my farm to look like this:

serverfarm host CHCOM_Farm

rserver CHCOM1 80

inservice

rserver CHCOM2 80

inservice

rserver CHCOM3 80

inservice

I still get the response in the browser, though.

New Member

Re: SSL Termination

After calling the TAC, I found out that the ACE does not support url-redirect in the present IOS. So here is the solution to my problem:

my normal server farm

serverfarm NORMAL

serverfarm host normal

rserver server1 80

inservice

rserver server2 80

inservice

make an rserver to redirect

rserver redirect R2

webhost-redirection https://%h/%p 302

inservice

then make a redirect serverfarm

serverfarm redirect REDIRECT

rserver R2

inservice

then suppose I have 2 vips 1 for traffic that comes in www that I want redirected to https and one that comes in https

class-map match-all vip10

10 match virtual-address 10.10.10.1 tcp eq www

class-map match-all vip20

10 match virtual-address 10.10.10.1 tcp eq https

I make policy for redirect

policy-map type loadbalance first-match REDIRECT-LOGIC

class class-default

serverfarm REDIRECT

I make policy for loadbalance to reals to handle https

policy-map type loadbalance first-match lb-logic

class class-default

serverfarm NORMAL

Then I have multimatch for my ingress vlan

policy-map multi-match client-vips

class vip10

loadbalance vip inservice

loadbalance policy REDIRECT_LOGIC

class vip20

loadbalance vip inservice

loadbalance policy lb-logic

ssl-proxy server xxxx

Cisco Employee

Re: SSL Termination

just one clarification, we do not support 'url rewrite', but we can do redirect.

So, basically, your problem was that the SSL traffic was redirected by the server to HTTP.

The solution you have in place is to catch the HTTP traffic to redirect it to SSL.

The next ACE release : Ace 2.0 should support url rewrite to intercept the server response and rewrite the redirect to HTTP into a redirect to SSL.

Gilles.

Cisco Employee

Re: SSL Termination

could you sniff the traffic and send me the result.

It should work with your new serverfarm.

Gilles.

New Member

Re: SSL Termination

Well, the reply above kind set me in the right direction. I don't need to redirect all my traffic to HTTPS, since the links in the web server will specify HTTPS when needed.

What I did was to set up to different VIPS, one to match port 80 and the other to match port 443. Then I just created different actions for each in the CLIENT-VIPS policy-map. The 443 VIP has an SSL-PROXY action and the 80 VIP doesn't.

Is there a better way to do what I'm trying to accomplish? Is your original suggestion supposed to solve my requirements?

Let us know.

Thanks!

Cisco Employee

Re: SSL Termination

you indeed need 2 policies to do ssl termination and http.

But you can reuse the same serverfarm.

All you need is to make sure to specify the service port for each real as the ssl function does not translate port.

Gilles.

New Member

Re: SSL Termination

Gilles,

So if I understand what you're saying you'd have a serverfarm that looked like this:

serverfarm host CHCOM_443_Farm

rserver CHCOM1 443

inservice

rserver CHCOM1 80

inservice

rserver CHCOM2 443

inservice

rserver CHCOM2 80

inservice

rserver CHCOM3 443

inservice

rserver CHCOM3 80

inservice

If that's the case, and I'm using COOKIE INSERT for sticky, then I run the risk of my users switching servers depending on if they're on port 80 or 443, right?

I need to be sure that my users remain on the same server when they switch from 80 to 443 or vice versa.

Cisco Employee

Re: SSL Termination

if you terminate ssl on the ACE module, you only talk HTTP [port 80] to the real server.

So you do not specify the rserver with port 443.

Only with port 80.

But you create 2 separate policy.

One for http.

One for ssl.

In both policy you use the same serverfarm.

For the ssl policy, you just have to also add the ssl server-policy to inform the module to terminate ssl.

Gilles.

New Member

Re: SSL Termination

Gilles,

I'm out of town right now and won't be able to try anything on the ACE for a week or so, but wanted to thank you for your response.

I'll give it a shot when I get back into the office.

400
Views
0
Helpful
10
Replies
CreatePlease to create content