×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Using SSL module - Is client IP address passthrough possible

Unanswered Question
Sep 13th, 2006
User Badges:

We have our CSS devices configured for front-end SSL. One impact of this is that the back end servers see the VIP address of the SSL rule as the incoming client address. Is there are way to use the CSS for SSL offloading but passthrough the client IP address ?


Thanks in advance for replies.


cheers,


Mike

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
carenas123 Tue, 09/19/2006 - 05:47
User Badges:
  • Silver, 250 points or more

you can do it with HTTP header insert.

http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/css_750/cmdrefgd/cmdsslc.htm


Is there a URL rewrite function to rewrite all http:// traffic to https://for a given set of content? The "url rewrite" function that one can configure in the ssl-proxy-list only seems to cover redirects. The url rewrite only rewrite urls in SSL.


Gilles Dufour Tue, 09/19/2006 - 06:17
User Badges:
  • Cisco Employee,

there is not.

The reason is that it would kill performances to inspect all traffic to do the rewrite.


I would suggest you rewrite your server to avoid direct link and replace them with relative path.


Gilles.

Gilles Dufour Tue, 09/19/2006 - 06:15
User Badges:
  • Cisco Employee,

Mike,


this is happening because you have a group config to nat client ip address.

You probably have a one-armed design.


So, you can either use the other suggestion that was made to you and insert the client ip into the header, then reconfigure your server to extract the ip from the header.


Or, you can also do some redesign to avoid the one-armed config and get rid of client nat.



Gilles.

michael.e.reid Tue, 09/19/2006 - 23:44
User Badges:

Gilles,


We do not have a one armed design or any NATing.


Traffic comes in on the VIP on Port 443, this is decrypted by the SSL module then sent to another VIP on clear text port 81 (which has an associated content rule pointing to the servers).


The server guys only see traffic coming in from the VIP address.


cheers,


Mike

Gilles Dufour Wed, 09/20/2006 - 05:49
User Badges:
  • Cisco Employee,

Mike,


I'm telling you. This is not possible.

Send me your config and I'll show you where you do the nating.


Check if you have any "group <...>" config using a vip matching the one you see on the server.

If you do, suspend the group and you will see that the nating does not occur anymore.


Gilles.

Actions

This Discussion