HTTPS to HTTP exchange not working

Unanswered Question
Sep 10th, 2007
User Badges:

Hi,


I would like to permit the client to exchange HTTPS with CSS and CSS send HTTP traffic to the real server.


But when i type one https url in my navigator anything appear on the navigator of the client.


Can you help me please ?


Sincerely



Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Gilles Dufour Tue, 09/11/2007 - 01:31
User Badges:
  • Cisco Employee,

does it work if you use http ?


Can you get a 'show summary' before and after opening a new connection.

Also get a 'show ssl statistics'.


Thanks,


Gilles.

tuzenat Tue, 09/11/2007 - 07:19
User Badges:

Thanks for your reaction.


It doesn't work fine with http. I attach you the output of sh flows command in the CSS.


The sh summary increments some values.

I see incrementation of values on sh ssl statitics however when i type https://192.168.1.1 whhich is the address of vip i valided the certificate but i have one blank page. My web server have one web page to send.


Best regards



Attachment: 
Gilles Dufour Tue, 09/11/2007 - 07:37
User Badges:
  • Cisco Employee,

what do you mean by it does not work fine with http?

If http does not work, there is no chance that ssl will.


Since you have one-armed scenario, are you sure your servers default gateway is the CSS ?


What you can try is enable client nat to see if that makes it work - this would prove this is a server routing table issue.


So, try:


group clientnat

vip address 192.168.1.2

add destination service

...

active


Gilles.

tuzenat Tue, 09/11/2007 - 08:31
User Badges:

The purpose of my scenario is to make ssl between client and CSS and http between Css and servers.


When i type http://192.168.1.1 (vip address) i have anything in my navigator, but when i type https://192.168.1.1, the navigator ask me to validate certificate (normally) and after i don't have the web page of my web server. (this is my problem)


I will try the commands you send me and i will notify the evolution of my test.


Thanks once more.


Joseph

tuzenat Wed, 09/12/2007 - 00:01
User Badges:

I add in CSS the group clientnat and i put the default gateway of my web server the address of VRRP. The http://192.168.1.1 works and https://192.168.1.1 works but i don't have trace on sh flows commands to validate my configuration.


Another issue is that i don't what that when i enter http://192.168.1.1 the system display the web page i just what it when i type https://192.168.1.1.


How to tell the system to make only HTTPS between me and CSS and HTTP betwen CSS and Wen Server ? And How to show my staff that is correctly configure ?



I join you my conf of my CSS.


Thanks in advance.


Joseph



Attachment: 
Gilles Dufour Wed, 09/12/2007 - 00:38
User Badges:
  • Cisco Employee,

what you can do is change the cleartext port to be something else like 81.

Create a new content rule for port 81 - make sure the service port is configured to be 80 so that the CSS translate back from 81 to 80.

Then for the port 80 content rule, configure a redirect service that will redirect traffic from http to https.

There are some examples on how to do this in this forum and also on our website.


Gilles.

paul.matthews Thu, 09/13/2007 - 00:19
User Badges:
  • Silver, 250 points or more

Hi, It looks like you are using the CSS in what is referred to as "one-armed" mode - the users and the servers are all out of the same interface of the CSS.


Gilles' question about working on HTTP is important - you may not have an SSL issue at all. My first step in setting up SSL is to get the load balancing working correctly on http before I even think about SSL.


This is not as elegant as using the CSS as a router between the users and the servers but can be made to work.


The awkward bit is the return traffic.


I will assume routers between users and the CSS/severs to explain what may be hapenning.


A packet comes in via the router, s=user,d=VIP. That hits the CSS, which does its bit, and forwards it to the server s=user, d=server. The server will receive that - normall this first one will be a tcp SYN, so if OK the server responds with a SYNACK - s=server,d=user. The server will pass that to its default gateway, which will probably be the router, so the user gets a SYNACK from an address it has not sent a syn to.


Three ways to sort this. One is to create another subnet behind the CSS and put the servers there.


Second is to create a source-group on the CSS to set NAT up so that the packet that gets sent to the server has a source address associated with the CSS so that return traffic goes via the CSS.


The third is to aim the server's default gateway at the CSS address.


Paul.



Actions

This Discussion