SSL config

Unanswered Question
Jun 18th, 2008

Dear Sir,

I have a pair of 11501, which load balance two SSL server behind them. The cert is stored in SSL server(10.106.13.20 & 21). The external vip is 10.106.13.224.

I read the SSL Config Gide and made the below configuration. Can you check if my config below is ok?

ssl-proxy-list PIS-SSL-LIST

backend-server 1

backend-server 1 type backend-ssl

backend-server 1 ip address 10.106.13.224

backend-server 1 server-ip 10.106.13.20

backend-server 1 version ssl3

backend-server 1 session-cache 300

backend-server 1 tcp virtual ack-delay 0

backend-server 2

backend-server 2 type backend-ssl

backend-server 2 ip address 10.106.13.224

backend-server 2 server-ip 10.106.13.21

backend-server 2 version ssl3

backend-server 2 session-cache 300

backend-server 2 tcp virtual ack-delay 0

active

service PIS-SSL-SERVICE

type ssl-accel-backend

ip address 10.106.13.224

add ssl-proxy-lit PIS-SSL-LIST

active

owner PIS-SSL-OWNER

content PIS-SSL-VIP-1

vip adddress 10.106.13.224

port 80

advanced-balance arrowpoint-cookie

url "/*"

add service PIS-SSL-SERVICE

active

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Gilles Dufour Sun, 06/22/2008 - 22:17

this is totally wrong unfortunately.

What are you trying to achieve here ?

Normally the connection between CSS and server does not need to be encrypted because they are close to each other.

You probably want to encrypt the connection from the client to the CSS since this connection goes throug the Internet.

Is this what you need ?

Here are sample configs:

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.10/configuration/ssl/guide/examples.html#wp999094

backend-ssl is @

SSL Transparent Proxy Configuration - HTTP and Back-End SSL Servers

You will see that you did many mistakes, like ip addresses used in the ssl-proxy-list.

Gilles.

Actions

This Discussion