CSS SSL Configuration .

Unanswered Question
May 17th, 2010
User Badges:

Hi All,


Kindly review my config.


When i access the Vip addres from outside it is not working.Internally, i tried it is working.


Scenario:-


Outside client-----------Firewall(natted pulic ip to VIP)---------------CSS-----------Apache server


is it possible when we access the application outside from port 80 the content s

witch redirect to port 443?



!


!************************* INTERFACE *************************
interface e1
  bridge vlan 50


interface e2
  bridge vlan 50


interface e3
  bridge vlan 50


interface e4
  bridge vlan 50


interface e9
  bridge vlan 50


!************************** CIRCUIT **************************
circuit VLAN50


  ip address 10.5.5.6 255.255.255.0


!*********************** SSL PROXY LIST ***********************
ssl-proxy-list ssl_list1
  ssl-server 20
  ssl-server 20 vip address 10.5.5.7
  ssl-server 20 rsacert qisrsacertnew1
  ssl-server 20 rsakey qis1
  ssl-server 20 cipher rsa-export-with-rc4-40-md5 10.5.5.7 80
  active


!************************** SERVICE **************************
service Appache-1-http
  protocol tcp
  ip address 10.5.5.4
  port 80
  keepalive type http
  keepalive port 80
  active


service Appache-2-http
  protocol tcp
  ip address 10.5.5.5
  port 80
  keepalive type http
  keepalive port 80
  active


service ssl-serv1
  type ssl-accel
  slot 2
  keepalive type none
  add ssl-proxy-list ssl_list1
  active


!*************************** OWNER ***************************
owner test


  content HTTP-Appache
    vip address 10.5.5.7
    add service Appache-1-http
    primarySorryServer Appache-2-http
    protocol tcp
    port 80
    active


  content ssl-rule-1
    vip address 10.5.5.7
    add service ssl-serv1
    application ssl
    advanced-balance ssl
    protocol tcp
    port 443
    active


!*************************** GROUP ***************************
group test
  vip address 10.5.5.7
  add destination service Appache-1-http
  add destination service Appache-2-http
  active

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Gilles Dufour Wed, 05/19/2010 - 00:28
User Badges:
  • Cisco Employee,

The configuration looks good.

Check if the new connection from outside does get to the CSS.

Check if the server gets the request and if it sends the response to the client through the CSS.

Sniffer trace would help here.


If you want to redirect port 80 traffic to prot 443, you first need to change the ssl-proxy config.

You will need to send the cleartext traffic to a different vip:port otherwise the decrypted traffic would also match the redirect rule.


Then for the vip:80 rule you configure a redirect as described in the config guide:

http://www.cisco.com/en/US/partner/products/hw/contnetw/ps789/products_configuration_example09186a00801de8d6.shtml


Gilles.

Actions

This Discussion