URL interrogation and redirection

Unanswered Question
May 4th, 2007

Ok...this is the situation....

I have a CSS 11501 w/SSLM, and it is configured and working perfectly today.

It is listening on a VIP, terminating the SSL connection, and initiating a load balanced back end connection to a pair of web servers.

users go to the URL "https://services.blah.com" and everything works great.

If users go to "https://services.blah.com/legacy" , I want them to be redirected to the legacy server, prior to the SSL negotiation. The legacy server has it's own cert, not on the CSS. The legacy server does not reside behind this CSS. In fact, it is a single host in another subnet, which the CSS has knowledge of.

Is this possible?

Thanks in advance. This is a VERY helpful forum. I hope to have the knowledge and skill level soon to be able to assist others.

Sandeep

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Diego Vargas Fri, 05/04/2007 - 08:00

Hi Sandeep,

You can match the traffic going to /legacy with a layer 5 content rule. The problem is that first you need to do the SSL negotiation, otherwise the CSS will not be able to see layer 5 information in order to match the that specific request to another content rule.

Since you need the traffic to go SSL to your server, you may want to implement Backend SSL, as the CSS will decrypt the traffic in the front-end, check on layer 5 and encrypt it again prior to send it to the server.

yycsandman007 Fri, 05/04/2007 - 12:11

Hey....thanks for the quick response...

I am currently using backend SSL for the "https://services.blah.com" URL, and the user sessions are balanced between the backend servers.

how do I redirect only "https://services.blah.com/legacy" to the legacy server that lives in another part of the network?

Where in the config do I insert that redirect statement? And what is the correct syntax?

Here are the applicable parts of my current config:

ssl-proxy-list my_secure_site

ssl-server 1

ssl-server 1 cipher rsa-with-rc4-128-md5 1xx.1x.xx.81 81

backend-server 10

backend-server 10 port 81

backend-server 10 server-ip 1xx.1x.xx.74

backend-server 20

backend-server 20 port 81

backend-server 20 server-ip 1xx.1x.xx.75

ssl-server 1 vip address 1xx.1x.xx.13

backend-server 10 ip address 1xx.1x.xx.74

backend-server 20 ip address 1xx.1x.xx.75

backend-server 10 cipher rsa-with-rc4-128-md5

backend-server 20 cipher rsa-with-rc4-128-md5

ssl-server 1 rsakey services-sys_key1

ssl-server 1 rsacert services-sys

active

-----------------------------

service backend1

ip address 1xx.1x.xx.74

type ssl-accel-backend

port 81

add ssl-proxy-list my_secure_site

keepalive port 443

keepalive type ssl

protocol tcp

active

service backend2

ip address 1xx.1x.xx.75

type ssl-accel-backend

port 81

keepalive port 443

keepalive type ssl

protocol tcp

add ssl-proxy-list my_secure_site

active

------------------------------

owner my_secure_site

content back

protocol tcp

port 81

url "/*"

vip address 1xx.1x.xx.81

add service backend1

add service backend2

advanced-balance sticky-srcip

active

content front

vip address 1xx.1x.xx.13

application ssl

add service ssl_front

protocol tcp

port 443

active

-----------------------------------

Is what I am trying to achieve even possible?

Thanks again for your assistance!

Sandeep

Diego Vargas Fri, 05/04/2007 - 13:38

Hi Sandeep,

Create another content rule in the back (for clear text) matching only that specific request, like this:

content back2

protocol tcp

port 81

url "/legacy" ----------------> More specific

vip address 1xx.1x.xx.81

add service legacy_server

active

Then you create the legacy_server service and configure it as any of the other backend servers you have already.

The CSS match the traffic agains the more specific rule, so people going to https://services.blah.com/legacy will match the rule back2 and everybody else with hit the rule with the wildcard (back).

That should resolve your problem.

Actions

This Discussion