12-05-2005 03:26 AM
I tried to implement backend SSL over the weekend and was unsuccessful. I've read all the posts here on ssl back to January and I was sure I had a solid config. I saw lots of traffic hitting the ssl module but it would not pass to the backend content rule. I was getting no hits on the backend services. I've attached the config below. This is our production load balancers so I don't have a place to play with it. Does anyone spot anything glaringly wrong with this? I think it may be an acl issue but I didn't think traffic generated internally from the CSS to the backend ssl was subject to acls. Either that or a source NAT issue, or lack thereof as that's how we ensure traffic returns through the lb. There is an acl on the frontside that has applies NAT via a source group. Thanks!
ssl associate rsakey key key.pem
ssl associate cert cert cert.cer
ssl-proxy-list ssl_list3
ssl-server 10
ssl-server 10 port 50003
ssl-server 10 rsakey key
ssl-server 10 rsacert cert
ssl-server 10 cipher rsa-with-rc4-128-md5 192.168.254.10 81
ssl-server 10 vip address 10.100.24.11
backend-server 10
backend-server 10 cipher rsa-export-with-rc4-40-md5
backend-server 10 type backend-ssl
backend-server 10 ip address 10.100.8.225
backend-server 10 server-ip 10.100.8.225
backend-server 10 server-port 50003
backend-server 10 port 81
backend-server 20
backend-server 20 cipher rsa-export-with-rc4-40-md5
backend-server 20 type backend-ssl
backend-server 20 ip address 10.100.9.137
backend-server 20 server-ip 10.100.9.137
backend-server 20 server-port 50003
backend-server 20 port 81
service ssl_module3
type ssl-accel
keepalive type none
slot 3
add ssl-proxy-list ssl_list3
active
***Services***
service us6qpp01-50003
ip address 10.100.8.225
type ssl-accel-backend
port 81
add ssl-proxy-list ssl_list3
keepalive type ssl
keepalive port 50003
protocol tcp
active
service us6qpp02-50003
ip address 10.100.9.137
type ssl-accel-backend
port 81
add ssl-proxy-list ssl_list3
keepalive type ssl
keepalive port 50003
protocol tcp
active
***Content***
content PortalFront
protocol tcp
vip address 10.100.24.11
application ssl
advanced-balance ssl
add service ssl_module3
port 50003
active
content PortalBack
protocol tcp
port 81
url "/*"
vip address 192.168.254.10
add service us6qpp01-50003
add service us6qpp02-50003
advanced-balance arrowpoint-cookie
active
group group_backside_nat
vip address 10.100.24.129
active
clause 10 permit tcp any destination content Owner1/PortalFront sourcegroup group_backside_nat
clause 11 permit tcp any destination 10.100.24.11 eq 50003
12-05-2005 07:14 AM
Everything coming out of the SSL module is consideed traffic coming into the CSS.
Therefore acl are applied to this traffic.
The source vlan is the same as for the traffic that entered the SSL module.
So you need a
clause 12 permit tcp any destination 192.168.254.10 eq 81
You may have to permit traffic to real as well. Can't remember for sure this part.
I assume you have to based on the rule mentioned above.
Regards,
Gilles.
12-05-2005 07:29 AM
Thanks Gilles... that's the way it was looking to me but for some reason I was thinking since the processing for the backend ssl was internal to the lbs, it was not processed against the acls... I was just about to change the acls to test but my change window was up and I had to roll back... I'll let you know how it goes!
Thanks again for your input...
Dennis
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: