CSS11501 Simple SSL (HTTP to HTTPS) configuration

osiristrading123 · ‎04-01-2008

Hi everyone

We've just started investigating moving SSL offload to our CSS11501. I've got the configuration working with a single (HTTP) server as per the example configuration at:

http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_example09186a00801aca4f.shtml

I'm unsure as to how to load balance to multiple HTTP servers though. Anyone have a simple config which will make this clear?

Thanks

Gilles Dufour · ‎04-01-2008

I'm glad the example I wrote was helpful to you.

To answer your question, what you need to do is send the decrypted traffic to another vip on the CSS.

So, you create a content rule for the cleartext traffic.

Assign a vip, a port, all the http servers.

Then in your ssl proxy-list, replace the destination server ip with the vip from your cleartext content rule.

Gilles.

osiristrading123 · ‎04-01-2008

Thanks Gilles.

We have it working very well now, with one slight workaround:

The SSL-HTTP proxying worked fine. We have only one content rule for client facing, and for to where the ssl-proxy-list redirects. When we added another L4 rule to redirect port 80 requests to port 443, we ended up with a loop.

To resolve this issue we changed the HTTP port on the webservers to 81, and used this port in the ssl-proxy-list.

I assume if we had two separate content rules (one for client facing, and one for the ssl-proxy-list to forward to), we would not have had this issue?