01-22-2008 03:47 AM
Is it possible if I have one IP address on my CSS and I would like to enable the SSL termination service? I seem not work. Is it a configuration problem or SW limitation?
This is my CSS configuration.
==============================
ABC-CSS01# sh run
!Generated on 01/22/2008 10:36:42
!Active version: sg0750205
configure
!*************************** GLOBAL ***************************
no restrict web-mgmt
logging buffer 64000
ssl associate rsakey myrsakey1 myrsakey.pem
ssl associate cert mychainedrsacert1 myrsakey2.cer
ssl associate dhparam 1 dahshing_dh.pem
ip route 0.0.0.0 0.0.0.0 172.27.2.1 1
!************************** CIRCUIT **************************
circuit VLAN1
ip address 172.27.2.9 255.255.255.0
!*********************** SSL PROXY LIST ***********************
ssl-proxy-list ssl-list
ssl-server 20
ssl-server 20 vip address 172.27.2.8
ssl-server 20 cipher rsa-with-des-cbc-sha 172.27.2.53 80
ssl-server 20 cipher rsa-with-3des-ede-cbc-sha 172.27.2.53 80
ssl-server 20 cipher rsa-with-rc4-128-sha 172.27.2.53 80
ssl-server 20 cipher rsa-with-rc4-128-md5 172.27.2.53 80
ssl-server 20 rsacert mychainedrsacert1
ssl-server 20 rsakey myrsakey1
active
!************************** SERVICE **************************
service uatsec1
protocol tcp
ip address 172.27.2.53
keepalive type tcp
port 80
active
service www
type ssl-accel
add ssl-proxy-list ssl-list
keepalive type none
slot 2
active
!**************************** EQL ****************************
eql Cacheable
description "This EQL contains extensions of cacheable content"
extension pdf "Acrobat"
extension fdf "Acrobat Forms Document"
extension au "Sound audio/basic"
extension bmp "Bitmap Image"
extension z "Compressed data application/x-compress"
extension gif "GIF Image image/gif"
extension html "Hypertext Markup Language text/html"
extension htm
extension js "Java script application/x-javascript"
extension mocha
extension jpeg "JPEG image image/jpeg"
extension jpg
extension jpe
extension jfif
extension pjpeg
extension pjp
extension mp2 "MPEG Audio audio/x-mpeg"
extension mpa
extension abs
extension mpeg "MPEG Video video/mpeg"
extension mpg
extension mpe
extension mpv
extension vbs
extension m1v
extension pcx "PCX Image"
extension txt "Plain text text/plain"
extension text
extension mov "QuickTime video/quicktime"
extension tiff "TIFF Image image/tiff"
extension tar "Unix Tape Archive application/x-tar"
extension avi "Video for Windows video/x-msvideo"
extension wav "Wave File audio/x-wav"
extension gz "application/x-gzip"
extension zip "ZIP file application/x-zip-compressed"
!*************************** OWNER ***************************
owner ssl_owner
content ssl
port 443
vip address 172.27.2.8
protocol tcp
application ssl
add service www
active
==================================
Thank you.
01-22-2008 07:03 AM
Hi,
I do not really understand what you mean with "Is it possible if I have one IP address on my CSS and I would like to enable the SSL termination service? "
However you are missing the clear text content rule configuration and the ssl-server cipher should not be pointing to the server IP but the clear text rule, like this
!*********************** SSL PROXY LIST ***********************
ssl-proxy-list ssl-list
ssl-server 20
ssl-server 20 vip address 172.27.2.8
ssl-server 20 cipher rsa-with-des-cbc-sha 172.27.2.8 80
ssl-server 20 cipher rsa-with-3des-ede-cbc-sha 172.27.2.8 80
ssl-server 20 cipher rsa-with-rc4-128-sha 172.27.2.8 80
ssl-server 20 cipher rsa-with-rc4-128-md5 172.27.2.8 80
ssl-server 20 rsacert mychainedrsacert1
ssl-server 20 rsakey myrsakey1
active
owner ssl_owner
content clear_text
port 80
vip address 172.27.2.8
protocol tcp
add service uatsec1
active
content ssl
port 443
vip address 172.27.2.8
protocol tcp
application ssl
add service www
active
service uatsec1
protocol tcp
ip address 172.27.2.53
keepalive type tcp
port 80
active
service www
type ssl-accel
add ssl-proxy-list ssl-list
keepalive type none
slot 2
active
Hope it helps!!
01-22-2008 11:36 PM
I have tried the url: https://172.27.2.8/testing/Login.jsp
The page cannot be showed.
I logged the follwing logging:
DSB-CSS01# sh service summary
Service Name State Conn Weight Avg State
Load Transitions
uatsec1 Alive 0 1 2 0
www Alive 0 1 2 0
DSB-CSS01# sh summary
Global Bypass Counters:
No Rule Bypass Count: 13
Acl Bypass Count: 0
Owner Content Rules State Services Service Hits
ssl_owner ssl Active www 11
clear_text Active uatsec1 6
I can see all SSL termination example are seperate 2 vlan. One IP for CSS out and another for server side.
01-23-2008 02:31 AM
you can do this in one-armed mode - 1 vlan for client and server traffic.
However, you need to guarantee that the server response will go back to the CSS.
In one-armed mode, if the CSS is the not the default gateway, the server responses go directly to the client which does not accept because not coming from the vip.
Also, what was suggested is to create a content rule on your css for plain http traffic.
Like this, you can easily test if http is working and determine if this is a general issue or an ssl only issue.
Once you have the content rule for http configured, you also need to modify your ssl-proy-list to send decrypted traffic to this http content rule instead of directly to the server.
Again this helps for troubleshooting and will give the possibility to perform special action on the decrypted traffic if needed later on (ie: cookie stickyness).
Regards,
Gilles.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide