CSS11506 Help SSL config

Unanswered Question

Well, I was able to get the 11506 to proxy to different webservers based on URL statements. Now I am testing SSL reverse proxy. I have the SSL module installed. So I have one web server on port 80 behind the CSS. https://www.test.com resolves to the VIP of the CSS. I have created a self signed cert for test purposes. So it seems to be working about 80 percent as I get the prompt for the certificate and get to the login screen of the webserver, however as soon as I login, it puts me back to an HTTP url, so it works but it is no longer encrypted. If I take the http content rule out then I cant seem to get past the web server login prompt. I am a little confused as to whether or not I need the HTTP rule in addition to the SSL rules.


Here is the config

ssl associate rsakey myrsakey1 CSSrsakey1

ssl associate cert myrsacert1 CSScertfile1


ip route 0.0.0.0 0.0.0.0 192.168.20.1 1


!************************** CIRCUIT **************************

circuit VLAN1


ip address 192.168.20.20 255.255.255.0


!*********************** SSL PROXY LIST ***********************

ssl-proxy-list ssl-list

ssl-server 90

ssl-server 90 vip address 192.168.20.100

ssl-server 90 cipher rsa-with-des-cbc-sha 192.168.20.50 80

ssl-server 90 cipher rsa-with-3des-ede-cbc-sha 192.168.20.50 80

ssl-server 90 cipher rsa-with-rc4-128-sha 192.168.20.50 80

ssl-server 90 cipher rsa-with-rc4-128-md5 192.168.20.50 80

ssl-server 90 rsacert myrsacert1

ssl-server 90 rsakey myrsakey1

active


!************************** SERVICE **************************

service SSLWWW

type ssl-accel

slot 6

keepalive type none

add ssl-proxy-list ssl-list

active


service rprox1

ip address 192.168.20.50

protocol tcp

port 80

active


service rprox2

ip address 192.168.20.60

protocol tcp

port 80


!*************************** OWNER ***************************

owner CMPA


content HTTP_rule

add service rprox1

url "//www.test.com/*"

protocol tcp

port 80

vip address 192.168.20.100

active


content ssl

vip address 192.168.20.100

application ssl

add service SSLWWW

protocol tcp

port 443

active


owner clee


content redirect_rule_2

add service rprox2

vip address 192.168.20.100

url "//www.test1.com/*"

protocol tcp

port 80


CSS11506#


Any help is appreciated


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
diro Thu, 05/10/2007 - 09:16
User Badges:
  • Bronze, 100 points or more

probably your getting an http redirect after login. To be sure this is the case you should sniff out the traffic. if this is the case then you should enable url rewrite.

Actions

This Discussion