10-17-2006 01:09 PM
Based on the CSM-SSL configuraiton as follows, The 8080 is to handle the descrypted packet from SSL module but also able to access from client by http://1.1.1.1:8080
This may happen security issue by access with clear text to the real server. Any way to prevent and/or the best practice guide to implement this scenario.
##CSM
!
vserver test-web
virtual 1.1.1.1 tcp 8080
serverfarm test-server
inservice
!
vserver test-ssl
virtual 1.1.1.1 tcp https
serverfarm SSL-TRAFFIC
inservice
!
serverfarm SSL-TRAFFIC
real 2.2.2.2
inservice
!
serverfarm test-server
real 3.3.3.3
inservice
!
##SSL
!
interface SSL-Proxy0.111
encapsulation dot1Q 111
ip address 2.2.2.2 255.255.255.0
!
ssl-proxy context test
!
service test-SSL
virtual ipaddr 1.1.1.1 protocol tcp port 443 secondary
server ipaddr 2.2.2.10 protocol tcp port 8080
inservice
Thanks in advance,
Solved! Go to Solution.
10-18-2006 01:34 AM
specify a vlan in the vserver.
This will allow only traffic coming from the ssl vlan.
If you have no client on this vlan, then you're good.
Otherwise, move the sslm to a vlan used only between csm-sslm and use the vlan id config under the vserver.
Gilles.
10-18-2006 01:34 AM
specify a vlan in the vserver.
This will allow only traffic coming from the ssl vlan.
If you have no client on this vlan, then you're good.
Otherwise, move the sslm to a vlan used only between csm-sslm and use the vlan id config under the vserver.
Gilles.
10-18-2006 05:36 AM
Thanks a lot Gilles
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide