Client Authentication & Normal SSL Using Same IP on Proxy List

alfiesummers · ‎02-27-2007

I am using CSS11501's and need to have the option of client authentication or normal client server SSL using the same IP. I cannot see how to do this using just one proxy-list.

The following is an example of what I would like.

https://sslconnection.com = ip address 10.10.10.10 on the ssl-proxy-list and uses normal client server ssl.

https://sslconnection.com/clientauth = ip address 10.10.10.10 and invokes client authentication.

Is there any way to get the proxy list to pick up the url extension and aply the client authentication rules?

I know this would work using 2 proxy lists in say a 11503 or my other option would be to get the web server to redirect to another VIP when client authentication is required.

However if at all possible i would like to use the same IP for both methods.

Any ideas????

Gilles Dufour · ‎03-02-2007

to see the url, the CSS needs to decrypt the traffic, and to decrypt the traffic the css needs to perform ssl negotiation.

Therefore this is not possible to keep the same proxy-server.

What you can is use a normal ssl service to decrypt the traffic and if there is a match with /clientauth url send a redirect to the same vip ip but a different port ie: 8443 instead of 443.

You can then create a 2nd ssl-proxy server in your proxy list and this one will do client authentication.

Gilles.