Working with Ports and Hostnames
This section describes how to open ports on the ACE Web Application Firewall to listen for client HTTP or HTTPS requests. It covers these topics:
•About HTTP Ports
•Opening a Port
•Listening on a Virtual Hostname
•Configuring a Static Content Response
About HTTP Ports
Clients access applications proxied by the ACE Web Application Firewall by addressing requests at the port number specified in its consumer interface. You can open an HTTP listening port on the ACE Web Application Firewall, and manage its configuration settings, using a port object. Port objects are created for you when you define new virtual web applications. However, you can also create them manually or modify existing definitions.
The ACE Web Application Firewall policy includes a built-in listening port for HTTP port 80. You can open additional listening ports using the HTTP Port policy object. You may need to open additional ports, for example, for SSL-secured connections (conventionally on port 443). After adding the listening port, you apply it to a virtual web application to have requests for the service handled on the port.
Note The built-in default HTTP port (80) cannot be deleted, since it is used by certain internal system processes. However, you can edit the built-in port object by changing its name, port number, or other values from the Open HTTP(S) Ports page.
The port object contains settings that allow you to set up a name-based or IP-based virtual host for the ACE Web Application Firewall. The port can be configured to listen for traffic addressed to a particular hostname or IP address.
A port can be configured to respond to requests at a particular URL with a static response message. This capability is most often used to enable health monitoring of the ACE Web Application Firewall by upstream load balancers or other network hosts.
Note In the ACE XML Gateway chunked requests can be handled by the Reactor only. That is, the Flex Path does not support chunked requests (requests that indicate chunked transfer encoding). If it receives a chunked request, the ACE XML Gateway responds with a 411 error response code. Chunked responses from the backend server are supported, but for messages handled by the Flex Path, the Gateway assembles the chunked response prior to delivery to the client. Chunked responses handled by the Reactor are passed through chunked.
Opening a Port
To open a listening port on the ACE Web Application Firewall:
Step 1 While logged into the web console as an
Administrator user or as a
Privileged user with the
Routing role, set the active subpolicy to the one in which you want to use the port.
Step 2 Click the HTTP Ports & Hostnames link in the navigation menu.
Step 3 In the Open HTTP(S) Ports page, click the Add a New Port button.
Step 4 In the Edit Port page, type a descriptive name for the new port definition in the Name field. This name identifies the port in the ACE Web Application Firewall Manager's console. It should be unique for port objects in the policy.
Step 5 Type the listening port number in the Port Number field.
Note To ensure proper operation of the system, be sure to avoid using port numbers reserved for administrative purposes by the ACE Web Application Firewall and Manager. These include ports in the range of 8200 through 8299 and 514. For a complete list of ports that may be used by the system, see Cisco ACE Web Application Firewall Administration Guide.
Step 6 To have the ACE Web Application Firewall apply transport layer security to traffic on the port, select the SSL checkbox.
The Public/Private Keypairs menu and Upload button are enabled.
Step 7 If SSL is enabled, choose an item from the Public/Private Keypair menu to specify the public/private keypair to be used for encrypting this connection.
If the correct keypair does not appear in the menu, it needs to be uploaded to the policy using the Upload button. For more information on SSL, see "Securing Traffic with SSL/TLS" section on page 10-83
Step 8 Optionally, specify the ciphers to be accepted in negotiating SSL connections with clients on this port in the SSL Cipher Suite menu. In the course of negotiating a secure connection, the ACE Web Application Firewall and client must be able to agree on the cipher suite to use for the connection. If the client does not support any cipher you specify here, the connection is not permitted.
By default, the connection will use the global SSL Cipher Suite settings for the HTTP server process of the ACE Web Application Firewall, as set in the System Management > I/O Settings page. This option lets you apply more specific settings for this port.
Specify a cipher suite by choosing custom from the SSL Cipher Suite menu and in the field that appears, enter the cipher suite to be accepted in OpenSSL Cipher string format, described here: http://www.openssl.org/docs/apps/ciphers.html
Note Use care when entering the cipher suite string. The ACE Web Application Firewall Manager web console interface does not verify the value you enter. If you mistype or enter a meaningless value, the ACE Web Application Firewall may not be able to open an SSL connection with the server.
Step 9 The port can listen for all traffic on this port or only for traffic on this port addressed to a particular host or IP address. This setting allows you to set up virtual hosts (vhosts) at the ACE Web Application Firewall, by either hostname and IP address.
Specify the requests this port is to monitor from the Listen For menu, from these options:
•All traffic on this port—The port listens for any traffic addressed to the Firewall on this port.
•Requests to a hostname—The port listens for any traffic addressed to the Firewall on this port and to this hostname. Specify one or more hostnames by typing the literal hostname or a POSIX 1003.2 regular expression in the Hostname field. To use a regular expression, click the Allow regular expression matching in the hostname checkbox.
•Requests to specific IP addresses—The port listens for any traffic addressed to this IP address. Enter one or more IP addresses in the IP Addresses field. Use paragraph returns to separate multiple IP addresses, so that each address is on its own line.
Any IP address you enter must also be configured at the network interface for each Firewall appliance. For more information, see the Cisco ACE Web Application Firewall Administration Guide.
Step 10 You can serve a static response message at a particular URL on this port by choosing the serve the following static page on this port option from the Static Content menu.
For more information, see "Configuring a Static Content Response" section.
Step 11 Click Save Changes.
The port now appears in the HTTP Port menu in virtual service configuration pages.
Listening on a Virtual Hostname
The ACE Web Application Firewall supports IP-based and name-based virtual hosting. This support allows the Firewall to serve as a reverse proxy for multiple addressable hosts. The virtual hostname settings for the ACE Web Application Firewall appear in the port object configuration in the policy.
A virtual hostname on a port directs the ACE Web Application Firewall to service requests addressed to the specified hostname. You can configure multiple ports in the policy to listen on a single port number, but each on a different hostname or IP address.
To set a virtual hostname for the ACE Web Application Firewall, follow these steps:
Step 1 Create or modify the port object on which you would like the ACE Web Application Firewall to listen to requests for the host. For more information on creating port objects, see "Opening a Port" section.
Step 2 In the Listen For menu, choose requests to a hostname, for name-based virtual hosting, or requests to specific IP addresses, for IP-based virtual hosting.
Step 3 If you configured the port to listen for requests to an IP address, specify the IP addresses in the text field. The IP addresses you enter must also be configured on the network interface of the ACE Web Application Firewall appliance. For more information, see the Cisco ACE Web Application Firewall Administration Guide.
Step 4 If you configured the port to listen for requests to a hostname, enter the hostname in the text field. You can use regular expression matching for the hostname by checking the Allow regular expression matching in the hostname box and entering the hostname as a regular expression, such as:
^example$ | example:80 | example.cisco.com |
In this case, the port accepts requests in which the host is addressed as example (as a whole word), example.cisco.com, or example:80. Note that with regular expression matching enabled, a value in host of simply "example" would match any request URL in which "example" appears as a substring, which may or may not be as intended.
Step 5 Click Save Changes when finished and deploy the policy to have the changes take effect at the ACE Web Application Firewall.
Configuring a Static Content Response
The ACE Web Application Firewall can be configured to serve a static response message at a particular URL on a port. Other network elements (such as load balancers) can use this mechanism to perform health checks against the ACE Web Application Firewall. You can set up a static response in the form of an HTML page, SOAP response, text only response, and more.
There are a few points to note regarding static response pages:
•A virtual host configuration for a port (that is, a particular configuration in the Listen For option) does not affect the static page response. That is, if you configure port 8080, for instance, to listen only for requests to the hostname "mygateway," the static content page will be served for a request to the configured URL path at port 8080, regardless of the hostname requested.
•Load balancers sometimes send HEAD method requests for health checks on balanced devices. The response page on the port automatically responds to HEAD method requests as well as GET requests.
•If you enable compression on the port, compression does not apply to the static response.
To set up a static response:
Step 1 Create or edit a port object, as described in "Opening a Port" section
Step 2 From the Static Content menu, choose the option serve the following static page on this port.
Step 3 For the Path, specify the URL path for addressing the response.
Step 4 Choose the type of response from the Content-Type menu:
•or a custom response
Notice that you need to enter the appropriate body content given the response content type. For HTML, for instance, this means that appropriate markup tags are included in the response.
Step 5 In the Body field, enter the body of the response message.
The body needs to include markup tags appropriate for the content type you chose, if appropriate. For example, for a SOAP message, the body must include the XML element and envelope markup, as in the following figure.
Figure 8-1 Static Content Message Configuration
Step 6 Click Save Changes to commit changes to the working policy.
When the policy is deployed, the page is available at the ACE Web Application Firewall address, such as: