CSS11506 with backend SSL configuration

Answered Question
Oct 6th, 2008
User Badges:

I have only one CSS5-SSL-K9 module, currently configred a service as type ssl-accel


now, I need configure a backend server to achive https from CSS to backend server.


from the reading I have just realesed that only one service can be active for a ssl module at a time.


can I get some advice? if I can run backend SSL on my CSS which has only one SSL module?


Any comments will be appreciated


Thanks in advance





Correct Answer by Gilles Dufour about 8 years 6 months ago

You can have only one ssl-proxy service active per SSL module but multiple services can be configured under the same ssl-proxy-list.


So, go ahead and add your backend-ssl config to the existing ssl-proxy-list and you should be fine.


Gilles.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Gilles Dufour Mon, 10/06/2008 - 04:37
User Badges:
  • Cisco Employee,

You can have only one ssl-proxy service active per SSL module but multiple services can be configured under the same ssl-proxy-list.


So, go ahead and add your backend-ssl config to the existing ssl-proxy-list and you should be fine.


Gilles.

julxu Tue, 10/14/2008 - 21:13
User Badges:

Great thanks for the reply.


I still do not understand another thing. For the backend configuration, CSS is acting as client, so the backend server has to use https also? Is it right?


Can I open port 443 to listen backend server to contact me?


Please advice.


Many regards

My question is similar wrt the single active ssl-accel service:


I have many virtual servers (different vip/port combos) and many backend servers listening on different ports. For example,


  • vip1/443 maps to server1/80
  • vip2/443 maps to server2/80
  • vip2/444 maps to server2/81


My (no doubt flawed) understanding is that I would need multiple ssl-proxy-lists and ssl-accel services to handle this:


ssl-proxy-list vip1-list

  ssl-server 10

  ssl-server 10 vip address 192.168.1.1

  ...

  ssl-server 10 cipher rsa-with-rc4-128-md5 10.10.1.1 80

  active


ssl-proxy-list vip2-443-list

  ssl-server 20

  ssl-server 20 vip address 192.168.1.2

  ...

  ssl-server 20 cipher rsa-with-rc4-128-md5 10.10.1.2 80

  active


ssl-proxy-list vip2-444-list

  ssl-server 30

  ssl-server 30 vip address 192.168.1.2

  ssl-server 30 port 444

  ...

  ssl-sserver 30 cipher rsa-with-rc4-128-md5 10.10.1.2 81

  active


service serv1

  type ssl-accel

  slot 2

  add ssl-proxy-list vip1-list

  keepalive type none

  active


service serv2-443

  type ssl-accel

  slot 2

  add ssl-proxy-list vip2-443-list

  keepalive type none

  active


service serv2-444

  type ssl-accel

  slot 2

  add ssl-proxy-list vip2-444-list

  keepalive type none

  active



This obviously would not work so please tell me what am I missing?


Thanking you in advance.

jason.espino Thu, 02/25/2010 - 21:26
User Badges:
  • Bronze, 100 points or more

julxu to answer your question, yes when backend-ssl is configured on the CSS the load balancer acts as both an SSL server and SSL client.  SSL server to the client establishing an HTTPS connection to the VIP, and SSL client when communicating to the backend webserver.  The backend server will need to use port 443 unless you have an alternate SSL port configured on the server.  The CSS will use the default HTTPS (port 443) when communicating to the backend webserver with backend-ssl.


COLIN WU to answer your question, as Gilles mentioned you can have only one ssl-proxy service active per SSL module but multiple services can be configured under the same ssl-proxy-list.  However, your configuration will not work as you cannot have the SAME VIP address configured for 2 ssl-servers within a proxy-list or multiple proxy-lists.


- Jason Espino

Actually I can have the same vip, but not the same vip/port combination. For what I wanted to achieve in my example above the following ssl-proxy-list will work:


ssl-proxy-list test-list

  ssl-server 10

  ssl-server 10 vip address 192.168.1.1

  ...

  ssl-server 10 cipher rsa-with-rc4-128-md5 10.10.1.1 80


  ssl-server 20

  ssl-server 20 vip address 192.168.1.2

  ...

  ssl-server 20 cipher rsa-with-rc4-128-md5 10.10.1.2 80


  ssl-server 30

  ssl-server 30 vip address 192.168.1.2

  ssl-server 30 port 444

  ...

  ssl-sserver 30 cipher rsa-with-rc4-128-md5 10.10.1.2 81

  active


Note that ssl-server 20 and ssl-server 30 both have the same vip but are listening on port 443 and 444, respectively.


I must confess I found the answer to my original question in another thread: https://supportforums.cisco.com/thread/2004313?tstart=0

jason.espino Fri, 02/26/2010 - 07:24
User Badges:
  • Bronze, 100 points or more

Hello Colin,


I apologize about my oversight. I didn't notice the altnerate ssl port defined within the ssl-server 30's configuration.


Thank you for the update!


Regards,


Jason

Actions

This Discussion