CSS SSL-proxy sends wrong port # embeded in HTTP Host Header

Answered Question
Feb 23rd, 2006
User Badges:

Load balancing works fine and so does SSL offloading. Sniffer traces show that host header sent to the server on TCP 81 has no port number appended to it as required by the HTTP RFC.


In current configuration, verified by a sniffer, TCP 443 hits the content rule and it sent to the SSL-PROXY where it is sent on TCP 81 clear text to the server. The server is listening on TCP 81 and the website reachable. Some scripts were failing so I checked the HTTP HOST Header tag in a sniffer trace and found that although I am sending it to TCP 81, the host header says:


HOST: DEV1.SITE.COM


When according to the RFC and other sniffer traces to working servers (not load balanced) it should show:


HOST: DEV1.SITE.COM:81



Is this a configuration problem, bug or feature? :)


Thanks!


Mike Kelley

[email protected]







---- config attached -----





STGCSS1# sh ver

Version: sg0810002 (08.10.0.02)






!*********************** SSL PROXY LIST ***********************

(IP's changed to protect the innocent!).


ssl-proxy-list STG-SSL-PROXYLIST

ssl-server 20

ssl-server 20 rsakey dev1-key

ssl-server 20 rsacert DEV1.SITE.COM-CERT

ssl-server 20 vip address 100.100.100.203

ssl-server 20 cipher rsa-with-rc4-128-md5 100.100.100.203 81

ssl-server 20 cipher rsa-with-rc4-128-sha 100.100.100.203 81

ssl-server 20 cipher rsa-with-des-cbc-sha 100.100.100.203 81

ssl-server 20 cipher rsa-with-3des-ede-cbc-sha 100.100.100.203 81

ssl-server 20 cipher rsa-export1024-with-des-cbc-sha 100.100.100.203 81

ssl-server 20 cipher rsa-export1024-with-rc4-56-sha 100.100.100.203 81

active


!************************** SERVICE **************************

service STG-SSL-ACCEL

type ssl-accel

keepalive type none

slot 2

add ssl-proxy-list STG-SSL-PROXYLIST

active


!*************************** OWNER ***************************

owner STAGING


content dev1_443

application ssl

vip address 100.100.100.203

add service STG-SSL-ACCEL

protocol tcp

port 443

active






Correct Answer by Gilles Dufour about 11 years 5 months ago

Mike,

this is a known limitation.

Nothing we can do about it right now.


Gilles.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Gilles Dufour Thu, 02/23/2006 - 08:35
User Badges:
  • Cisco Employee,

Mike,

this is a known limitation.

Nothing we can do about it right now.


Gilles.

Actions

This Discussion