01-12-2008 07:08 PM
I thought this was a simple question, but I can't seem to make it work.
I want to redirect HTTP traffic to HTTPS for a particular site. The CSS is terminating the SSL, and the backend servers are listing on TCP 80.
No matter what I try, it isnt working. What am I missing?
!************************** SERVICE **************************
service somedomain_SSL
type ssl-accel
slot 2
add ssl-proxy-list somedomain_list
keepalive type none
compress enable
active
service www.somedomain.com_redirect
ip address 2.2.2.2
keepalive type none
type redirect
no prepend-http
domain https://test.somedomain.com
active
service www01.somedomain.com
ip address 10.101.0.43
active
service www02.somedomain.com
ip address 10.101.0.44
active
!*************************** OWNER ***************************
owner www.somedomain.com
content www.somedomain.com
vip address 10.101.0.8
protocol tcp
port 80
url "/*"
add service www.somedomain.com_redirect
active
content www.somedomain.com_SSL
vip address 10.101.0.8
add service somedomain_SSL
protocol tcp
port 443
active
!*************************** GROUP ***************************
group www.somedomain.com_Servers
vip address 10.101.0.8
add destination service www01.somedomain.com
add destination service www02.somedomain.com
active
01-13-2008 08:28 PM
I seem to be making some progress on my own. Currently, Im now being redirected (using a HTTP proxy debugger, I see that Im getting a 302 and browser is showing the cert) but the page fails to display. Here is my current config.
!*********************** SSL PROXY LIST ***********************
ssl-proxy-list somedomain_list
description "SSL List for www.somedomain.com"
ssl-server 1
ssl-server 1 vip address 10.101.0.8
ssl-server 1 rsacert somedomain-ssl
ssl-server 1 rsakey somedomain-ssl
ssl-server 1 cipher rsa-with-rc4-128-md5 10.101.0.8 80
active
!************************** SERVICE **************************
service somedomain_SSL
type ssl-accel
slot 2
add ssl-proxy-list somedomain_list
keepalive type none
compress enable
active
service www.somedomain.com_redirect
ip address 2.2.2.2
keepalive type none
type redirect
no prepend-http
redirect-string "https://test.somedomain.com"
active
service www01.somedomain.com
ip address 10.101.0.43
keepalive type http
protocol tcp
port 80
active
service www02.somedomain.com
ip address 10.101.0.44
keepalive type http
protocol tcp
port 80
active
!*************************** OWNER ***************************
owner www.somedomain.com
content www.somedomain.com_http
vip address 10.101.0.8
add service www.somedomain.com_redirect
protocol tcp
port 80
url "/*"
active
content www.somedomain.com_https
protocol tcp
add service somedomain_SSL
vip address 10.101.0.8
application ssl
port 443
add service www01.somedomain.com
active
!*************************** GROUP ***************************
group www.somedomain.com_Servers
vip address 10.101.0.8
add destination service www01.somedomain.com
add destination service www02.somedomain.com
active
01-13-2008 08:54 PM
I finally figured it out. I need to create a backend content server for the SSL module to talk to. Once I did that and reconfigured the ssl-proxy to acknowlege it, it began to work. Here is the final config:
!*********************** SSL PROXY LIST ***********************
ssl-proxy-list somedomain_list
description "SSL List for www.somedomain.com"
ssl-server 1
ssl-server 1 vip address 10.101.0.8
ssl-server 1 rsacert somedomain-ssl
ssl-server 1 rsakey somedomain-ssl
ssl-server 1 urlrewrite 1 test.somedomain.com sslport 443 clearport 80
ssl-server 1 cipher rsa-with-rc4-128-md5 10.101.0.8 81
active
!************************** SERVICE **************************
service somedomain_SSL
type ssl-accel
slot 2
add ssl-proxy-list somedomain_list
keepalive type none
compress enable
active
service www.somedomain.com_redirect
ip address 2.2.2.2
keepalive type none
type redirect
no prepend-http
redirect-string "https://test.somedomain.com"
active
service www01.somedomain.com
ip address 10.101.0.43
keepalive type http
protocol tcp
port 80
active
service www02.somedomain.com
ip address 10.101.0.44
keepalive type http
protocol tcp
port 80
active
!*************************** OWNER ***************************
owner www.somedomain.com
content www.somedomain.com_decrypt
vip address 10.101.0.8
add service www01.somedomain.com
add service www02.somedomain.com
protocol tcp
port 81
active
content www.somedomain.com_http
vip address 10.101.0.8
add service www.somedomain.com_redirect
protocol tcp
port 80
url "//test.somedomain.com/*"
active
content www.somedomain.com_https
protocol tcp
add service somedomain_SSL
vip address 10.101.0.8
application ssl
port 443
active
!*************************** GROUP ***************************
group www.somedomain.com_Servers
vip address 10.101.0.8
add destination service www01.somedomain.com
add destination service www02.somedomain.com
active
01-13-2008 09:02 PM
I guess I still have a couple of questions:
⢠What is the significance of the IP address in the redirect service:
service www.somedomain.com_redirect
ip address 2.2.2.2
⢠I will need to configure the use of sticky cookies, would this be done on content www.somedomain.com_decrypt ?
⢠I'm using a one armed config with NAT. My two servers are oracle 11i app servers. We chose the one armed config so that DB transactions did not go through the CSS. I believe this is going to cause issues with our webtrends install because all users are going to come from the 10.101.0.8 addy. Is there away around this? The servers and CSS are in a DMZ behind an ASA.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide