cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
389
Views
0
Helpful
5
Replies

Using SSL module - Is client IP address passthrough possible

michael.e.reid
Level 1
Level 1

We have our CSS devices configured for front-end SSL. One impact of this is that the back end servers see the VIP address of the SSL rule as the incoming client address. Is there are way to use the CSS for SSL offloading but passthrough the client IP address ?

Thanks in advance for replies.

cheers,

Mike

5 Replies 5

carenas123
Level 5
Level 5

you can do it with HTTP header insert.

http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/css_750/cmdrefgd/cmdsslc.htm

Is there a URL rewrite function to rewrite all http:// traffic to https://for a given set of content? The "url rewrite" function that one can configure in the ssl-proxy-list only seems to cover redirects. The url rewrite only rewrite urls in SSL.

there is not.

The reason is that it would kill performances to inspect all traffic to do the rewrite.

I would suggest you rewrite your server to avoid direct link and replace them with relative path.

Gilles.

Gilles Dufour
Cisco Employee
Cisco Employee

Mike,

this is happening because you have a group config to nat client ip address.

You probably have a one-armed design.

So, you can either use the other suggestion that was made to you and insert the client ip into the header, then reconfigure your server to extract the ip from the header.

Or, you can also do some redesign to avoid the one-armed config and get rid of client nat.

Gilles.

Gilles,

We do not have a one armed design or any NATing.

Traffic comes in on the VIP on Port 443, this is decrypted by the SSL module then sent to another VIP on clear text port 81 (which has an associated content rule pointing to the servers).

The server guys only see traffic coming in from the VIP address.

cheers,

Mike

Mike,

I'm telling you. This is not possible.

Send me your config and I'll show you where you do the nating.

Check if you have any "group <...>" config using a vip matching the one you see on the server.

If you do, suspend the group and you will see that the nating does not occur anymore.

Gilles.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: