HTTP/HTTPS on the same ACE VIP - best practice

I currently have a VIP representing one server farm that contains two http servers:-
class-map match-all VIP-HTTP-xxxxx.co.uk
2 match virtual-address 10.79.18.10 tcp eq www
class-map match-all VIP-SSL-xxxxx.co.uk
2 match virtual-address 10.79.18.10 tcp eq https
I have port 80 and 443 open on the VIP and SSL termination performed on the ACE (both http servers are the same and configured for default load balancing behaviour - I've also specified port 80 for ACE to server traffic). Having 80 and 443 on the same VIP (meaning the site can be accessed via one NAT'd external IP) came from a request from the business so the site can have one domain.
The majority of the http server(s) web content is standard http but there is a specific sub-directory of interactive forms that requires https termination.
I have a couple of queries with regards to URL re-writes:-
1) Is the SSL URL re-write functionality limited to just the host part of the URL or can the ACE enforce https for specific sub-directories, i.e. can the ACE intercept and re-write a URL if a user tries to go to a particular https page/directory using http (by just deleting the s from the URL within their browser)? A possible example being:-
ssl url rewrite location "www\.cisco\.com\secure-forms"
2) Can the ACE re-direct users back to a standard http page if they try to 'secure' their session by changing http to https within their browser (basically the opposite of the above).
Basically as I have 80 and 443 on the same VIP I'm interested in the best practice methods of enforcing http and https content segregation using just the ACE (as opposed to having Apache doing the re-writes, etc).
Web services functionality (in terms of SSL and URL re-writes) has traditionally fallen within the domain of a dedicated web development team (who use Apache, Tomcat, etc.) but the introduction of the ACE as a load balancing appliance that is primarily managed by the networks team but with functionality that crosses traditional team boundaries has resulted in lots of questions from web development around what functionality can be moved from Apache, etc. and onto the ACE?
Any advice or personal experiences would be gratefully received.
Thanks
Matthew

Back again!
Could someone possibly cast their eye over the following config?
The only bit I'm not sure on (syntactically and whether it can even be done on the ACE) is how to specify a DO NOT match regular expression, i.e. how to capture https URLs that do not match my secure pages so I can re-direct the request back to the normal http URL (class-map type http loadbalance Non-Secure_Pages). What I'd like to avoid is re-directing requests that don't need to be, i.e. re-directing all requests that don't match /secure back to http when the majority will be correctly going to a normal http URL :-
rserver host server1
description *** HTTP server 1 ***
ip address 10.100.194.2
inservice
rserver host server2
description *** HTTP server 2 ***
ip address 10.100.194.3
inservice
rserver redirect REDIRECT_TO_HTTPS
webhost-redirection https://www.website.co.uk/%p 302
inservice
rserver redirect REDIRECT_TO_HTTP
webhost-redirection http://www.website.co.uk/%p 302
inservice
class-map type http loadbalance Secure_Pages
match http url /secure.*
class-map type http loadbalance Non-Secure_Pages
*** DO NOT *** match http url /secure.*
class-map match-all VIP-HTTP-website.co.uk
2 match virtual-address 10.79.18.10 tcp eq www
class-map match-all VIP-SSL-website.co.uk
2 match virtual-address 10.79.18.10 tcp eq https
policy-map type loadbalance first-match VIP-LB-HTTP-website.co.uk
class Secure_Pages
serverfarm REDIRECT_TO_HTTPS
class class-default
serverfarm serverfarm-website.co.uk
policy-map type loadbalance first-match VIP-LB-SSL-website.co.uk
class Non-Secure_Pages
serverfarm REDIRECT_TO_HTTP
class class-default
serverfarm serverfarm-website.co.uk
serverfarm host serverfarm-website.co.uk
failaction purge
rserver server1 80
probe PING_SERVER
probe http-website.co.uk
inservice
rserver server2 80
probe PING_SERVER
probe http-website.co.uk
inservice
serverfarm redirect REDIRECT_TO_HTTPS
rserver REDIRECT_TO_HTTPS
inservice
serverfarm redirect REDIRECT_TO_HTTP
rserver REDIRECT_TO_HTTP
inservice
many thanks

Similar Messages

Can you run Embedded PL/SQL Gateway and Oracle HTTP Server at the same time

Hi,
I know this will sound a bit odd but their is a business case for asking this. Can you run APEX via the Embedded PL/SQL Gateway and the Oracle HTTP Server at the same time? Would their be any security/stability/etc issues I'd need to worry about? I know that I'll need to run them on different ports.
Thank you,
Martin Giffy D'Souza
[http://apex-smb.blogspot.com/]

I think I've done this in the past. Theres no technical reason why you can't do this as far as I know.
I can't remember if I used different ports or same port.

Is it possible to send several http requests at the same time?

hi:
is it possible to send several http requests at the same time in j2me application, or it's device specific.
It's ok in my NOKIA SYMBIAN C++ application.
regards
Message was edited by:
danielwang

Is it possible to have 2 threads running at the same
time at different times eg 1 repeats every 20
miliseconds and the other 40 for example. Yes.
http://java.sun.com/docs/books/tutorial/essential/concurrency/index.html

Load balancing within the same ACE across two different contexts residing on the same vlan

I'm working on a design that requires traffic be sent to a different context in the same ACE. The question I have is can this be done when both reside on the same VLAN. Would the traffic in this case be handled at layer 2 instead of layer 7. Would I have to create a seperate subnet in order to provide loadbalancing?
|__________________|
|   | vlan 5         |         |
    |                  |
    |                  |
Context A        |
                       |
                       |
                    Context B
Thanks, Jerilyn

by design, two contexts on the same box in the same vlan can't communicate. You have to use an external L3 device.
A workaround may be to use two diferent vlans and then bridge between them with a loopback cable.

Http server in the same oracle home or not ?

Hi, finally i could install oracle 10g 10.2.0.3 on windows vista. Now i want to install http server but i wonder if i have to install in the same oracle home or in another one. Some documents says yes another one not.

oracle_sv wrote:
I would like to keep 10g version. I have the cd companion. The fist time that i tried to install give some errors and after that i couldn´r start OracleDB console and EMOuch! I suspect that was due to installing HTTP Server binaries in your Oracle home?
I have only installed HTTP Server on Linux, and I had a separate home for the Oracle database binaries and HTTP Server.
The installation (at least on Linux) was straight forward, provided you have done your prep work by installing the correct RPM's, environment, etc.
Once you have HTTP Server installed, you have to fulfil the rest of the APEX requirements (if not already done), such as:
- Patch HTTP Server (for Linux, this is Application Server Patch 5983622)
- Install XML DB
- Install Oracle Text
- Upgrade PL/SQL Web toolkit
- Install APEX (I had 3.12 originally installed, but recently upgraded to 4.0 which was painless).
- Configure your Apache/modplsql/conf/dads.conf in your HTTP Server home
You will need to read the installation guides on how to do each of the above. You might have more luck doing this on Linux than Windows.
If I was in your position and starting from scratch on this, I would be installing 11g, as it might not be so much work since APEX comes as part of 11g.

HTTP and HTTPS (SSL) at the same time?

Hi
In our company we will use SAP Portal as a external facing portal and as portal that uses authorisation and authentication (logon) . The question for us is: Is it possible to run the EFP without SSL and the securede portal with SSL? Where do I find documentation?
Thanks
Christian Thulstrup

Hi Christian,
yes, you can run the portal with HTTP and HTTPS at the same time - it's just a question of the URL you are entering in the browser...
<b>BUT:</b>
If you access your portal with HTTPS <b>all</b> content provided by the portal should be accessed with HTTPS too - otherwise you will get security warnings in IE and maybe some strange behavior of the integrated content. Session Management to SAP backend systems will not work also...
Vice-versa: if you access you portal with HTTP all content should be accessed with HTTP... obviously...
So if your content for the external facing portal is completely seperated from the internal content - yes you can access the portal with differen protocolls.
If it is not seperated - and that includes KM objects also - then better use one protocoll for both only!!
Hth,
Michael

Is Oracle HTTP susceptible to the same flaws as Apache 1.3?

Is it correct to assume Oracle HTTP server is vulnerable to the same vulnerabilities found in Apache Server 1.3?
Have any of the CPUs for Oracle Application Server (10.1.2.0.2) addressed the 'Expect Header' vulnerability (http://www.securityfocus.com/archive/1/441014) in Apache 1.3?

The vulnerability (CVE-2006-3918) was patched by the Oct 2006 CPU.
Message was edited by:
nholst

Would it be possible that saved passwords would work on both http and https version of the same site as some pages are switching from http to https?

Some sites are switching from http to https protocols and some sites run both. This creates some duality when you have saved passwords. You either save passwords for both versions of the site. And if you visit the https version for the first time you just have to go and look up the password as (personally) I don't remember all of my passwords.
Would it be possible that unless there are different passwords for different version of the site that firefox would use the one that it has already saved?

You will have to save the password again in case the submit URL and possibly other parameters change.
You can try this extension:
* Saved Password Editor: https://addons.mozilla.org/firefox/addon/saved-password-editor/

The same network and id vlan in different contex in the same ACE

Hello,
I want to know if I can create 2 context in an ACE with the same ID Vlans that other context and this can be in the same network, in the configuration I explain.
Best Regards
++++++++Switch C6513++++++++
svclc multiple-vlan-interfaces
svclc module 6 vlan-group 100
svclc module vlan-group 100 60,233
vlan 60
name inside
vlan 233
name outside
interface vlan 233
ip address 10.24.16.1 255.255.255.0
no shutdown
++++++++Context Admin++++++++
hostname ACE-MOD6
ft interface vlan 350
ip address 10.24.15.34 255.255.255.248
peer ip address 10.24.15.33 255.255.255.248
no shutdown
ft peer 1
heartbeat interval 200
heartbeat count 20
ft-interface vlan 350
ft group 1
peer 1
priority 200
peer priority 150
associate-context Admin
inservice
context SERV1
description SERV1
allocate-interface vlan 60
allocate-interface vlan 233
context SERV2
description SERV2
allocate-interface vlan 60
allocate-interface vlan 233
ft group 2
peer 1
priority 200
peer priority 150
associate-context SERV1
inservice
ft group 3
peer 1
priority 150
peer priority 200
associate-context SERV2
inservice
++++++Contex SERV1++++++
interface vlan 60
ip address 10.24.8.5 255.255.255.0
no shutdown
interface vlan 233
ip address 10.24.16.5 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 10.24.16.1
++++++Contex SERV2++++++
interface vlan 60
ip address 10.24.8.6 255.255.255.0
no shutdown
interface vlan 233
ip address 10.24.16.6 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 10.24.16.1

Sharing Vlans is possible in routed mode.
Its not possible when ACE is operating in Bridge mode.
You need to use unique IP addresses in each context for shared vlans.
Also make sure to use " shared-vlan-hostid " command.
When contexts share a VLAN, the ACE assigns a different MAC address to the VLAN on each context. The MAC addresses reserved for shared VLANs are 0x001243dc6b00 to 0x001243dcaaff, inclusive. All ACE modules derive these addresses from a global pool of 16k MAC addresses. This pool is divided into 16 banks, each containing 1,024 addresses. An ACE supports only 1,024 shared VLANs, and would use only one bank of MAC addresses out of the pool.
By default, the bank of MAC addresses that the ACE uses is randomly selected at boot time. However, if you configure two ACE modules in the same Layer 2 network and they are using shared VLANs, the ACEs may select the same address bank and use the same MAC addresses. To avoid this conflict, you need to configure the bank that the ACEs will use. "
Above paragraph & More details at
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/command/reference/config.html#wp1447465
Syed Iftekhar Ahmed

Oracle HTTP Server as web tier for OBIEE - Best Practices?

Hi All,
A bit of a cross-topic issue - IHAC which wants to add a web tier (in a form of additional DMZ server with Oracle HTTP Server installed) to existing OBIEE installation.
Are there any best practices regarding all the security aspects - installations, ports, SSL, certificates, keystores etc. ?
Thank you in advance,
Roman

Am not using weblogic, I'm doing standalone setup
Standalone:
FMW 11g Web-Tier products are configured without a domain and administered from the command line. In this case, be sure to UN-check the selection for “Associate to WebLogic Domain” during the installation prompts and uncheck the web cache.. Only OHS is installed.
Is it possible to install sun jdk 64 bit on AIX 7.1 machine.. ?

FWSM and CSM in same 6509? Best Practice?

I have a customer that has a FWSM and CSM in the same 6509 chassis. Is there a best practices configuration for doing this?

Hi,
Here are good documents:
http://cisco.com/en/US/partner/netsol/ns340/ns394/ns224/ns304/networking_solutions_package.html
In particular:
http://cisco.com/application/pdf/en/us/guest/netsol/ns304/c649/cdccont_0900aecd8010e77f.pdf
Best regards,
Pascal

Can anyone suggest me the OBIEE Repository/Answers best practice document?

Hi,
I'm looking for the OBIEE repository/answers/dashboard development best practice doument.can you suggest me where can i find this document?

Hi,
Below the links are helpful for you,
Oracle BI Applications Installation and Configuration Guide
http://download.oracle.com/docs/cd/E12104_01/books/AnyInstAdm/AnyInstAdmTOC.html
Creating a Repository Using the Oracle Business Intelligence Administration Tool
http://www.oracle.com/technology/obe/obe_bi/bi_ee_1013/bi_admin/biadmin.html
Creating Interactive Dashboards and Using Oracle Business Intelligence Answers
http://www.oracle.com/technology/obe/obe_bi/bi_ee_1013/saw/saw.html
Hope its helpful for you and award points,
Thanks,
Balaa...

Ask the Expert:Configuring, Troubleshooting & Best Practices on ASA & FWSM Failover

With Prashanth Goutham R.
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about the Configuring, Troubleshooting & Best Practices on Adaptive Security Appliances (ASA) & Firewall Services Module (FWSM) Failover with Prashanth Goutham.
Firewall Services Module (FWSM) is a high-performance stateful-inspection firewall that integrates into the Cisco® 6500 switch and 7600 router chassis. The FWSM monitors traffic flows using application inspection engines to provide a strong level of network security. Cisco ASA is a key component of the Cisco SecureX Framework, protects networks of all sizes with MultiScale performance and a comprehensive suite of highly integrated, market-leading security services.
Prashanth Goutham is an experienced support engineer with the High Touch Technical Support (HTTS) Security team, covering all Cisco security technologies. During his four years with Cisco, he has worked with Cisco's major customers, troubleshooting routing, LAN switching, and security technologies. He is also qualified as a GIAC Certified Incident Handler (GCIH) by the SANS Institute.
Remember to use the rating system to let Prashanth know if you have received an adequate response.
Prashanth might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community forum shortly after the event. This event lasts through July 13, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

Hello John,
This session is on Failover Functionality on all Cisco Firewalls, im not a geek on QOS however i have the answer for what you need. The way to limit traffic would be to enable QOS Policing on your Firewalls. The requirement that you have is about limiting 4 different tunnels to be utilizing the set limits and drop any further packets. This is called Traffic Policing. I tried out the following in my lab and it looks good.
access-list tunnel_one extended permit ip 10.1.0.0 255.255.0.0 20.1.0.0 255.255.0.0access-list tunnel_two extended permit ip 10.2.0.0 255.255.0.0 20.2.0.0 255.255.0.0access-list tunnel_three extended permit ip 10.3.0.0 255.255.0.0 20.3.0.0 255.255.0.0access-list tunnel_four extended permit ip 10.4.0.0 255.255.0.0 20.4.0.0 255.255.0.0    class-map Tunnel_Policy1     match access-list tunnel_one class-map Tunnel_Policy2     match access-list tunnel_two class-map Tunnel_Policy3     match access-list tunnel_three class-map Tunnel_Policy4     match access-list tunnel_four policy-map tunnel_traffic_limit     class Tunnel_Policy1      police output 4096000 policy-map tunnel_traffic_limit     class Tunnel_Policy2      police output 5734400 policy-map tunnel_traffic_limit     class Tunnel_Policy3      police output 2457600    policy-map tunnel_traffic_limit     class Tunnel_Policy4      police output 4915200service-policy tunnel_traffic_limit interface outside
You might want to watch out for the following changes in values:
HTTS-SEC-R2-7-ASA5510-02(config-cmap)#     policy-map tunnel_traffic_limitHTTS-SEC-R2-7-ASA5510-02(config-pmap)#      class Tunnel_Policy1HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#       police output 4096000HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#     policy-map tunnel_traffic_limitHTTS-SEC-R2-7-ASA5510-02(config-pmap)#      class Tunnel_Policy2HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#       police output 5734400WARNING: police rate 5734400 not supported. Rate is changed to 5734000
HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#HTTS-SEC-R2-7-ASA5510-02(config)#     policy-map tunnel_traffic_limitHTTS-SEC-R2-7-ASA5510-02(config-pmap)#      class Tunnel_Policy3HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#       police output 2457600WARNING: police rate 2457600 not supported. Rate is changed to 2457500HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#     policy-map tunnel_traffic_limitHTTS-SEC-R2-7-ASA5510-02(config-pmap)#      class Tunnel_Policy4HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#       police output 4915200WARNING: police rate 4915200 not supported. Rate is changed to 4915000I believe this is because of the software granularity and the way IOS rounds it off in multiples of a certain value, so watch out for the exact values you might get finally. I used this website to calculate your Kilobyte values to Bits: http://www.matisse.net/bitcalc/
The Final outputs of the configured values were :
    Class-map: Tunnel_Policy1      Output police Interface outside:        cir 4096000 bps, bc 128000 bytes        conformed 0 packets, 0 bytes; actions: transmit        exceeded 0 packets, 0 bytes; actions: drop        conformed 0 bps, exceed 0 bps     Class-map: Tunnel_Policy2      Output police Interface outside:        cir 5734000 bps, bc 179187 bytes        conformed 0 packets, 0 bytes; actions: transmit        exceeded 0 packets, 0 bytes; actions: drop        conformed 0 bps, exceed 0 bps    Class-map: Tunnel_Policy3      Output police Interface outside:        cir 2457500 bps, bc 76796 bytes        conformed 0 packets, 0 bytes; actions: transmit        exceeded 0 packets, 0 bytes; actions: drop        conformed 0 bps, exceed 0 bps    Class-map: Tunnel_Policy4      Output police Interface outside:        cir 4915000 bps, bc 153593 bytes        conformed 0 packets, 0 bytes; actions: transmit        exceeded 0 packets, 0 bytes; actions: drop        conformed 0 bps, exceed 0 bps
Please refer to the QOS document on CCO here for further information: http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/conns_qos.html
Hope that helps..

New paper available on the Forms OTN page (Best practices...)

This is a great paper about "Best practices when Developing Applications with Forms 10gR2"
http://www.oracle.com/technology/products/forms/pdf/BESTPRACTICES10GR2.pdf
Very interesting.
Francois

hi
thx franco
Kris

One again, "can I use CC on two computers at the same time?" - in practice.

I know this has been asked before and all those threads are locked. Many asked the question, but I haven't found a satisfying answer yet.
Can I multi task with CC?
I want to have my laptop next to my desktop. And while I render, export or whatever my newly shot documentary on the laptop I want to work with a music video project on my desktop. Then when the render is finished I render the music video and go back to the laptop and continue on the documentary. Or maybe I just work 5 minutes on the desktop music video, then come up with something brilliant for the project on the laptop and switch. Back and forth. Will that kind of activity result in any kind of limitation, usage-wise?
So, working on Premiere on my two computers at the same time.. is it possible? Technically? I know the EULA says "only one person". But will it let one person mutli task?
I need to know this before I buy. sorry for asking this again, please bless me with a clear answer

Hi Jimmy Crim,
Yes in case of Creative cloud subscription you are allowed to install and use the cc apps in any two machines.
Even if you want you care allowed to use these apps together in both the machines.
Thanks
Kapil

HTTP/HTTPS on the same ACE VIP - best practice

Similar Messages

Maybe you are looking for