Solved: CSM-SSL, how to prevent to access the real server with clear text?

cjrchoi11 · ‎10-17-2006

Based on the CSM-SSL configuraiton as follows, The 8080 is to handle the descrypted packet from SSL module but also able to access from client by http://1.1.1.1:8080

This may happen security issue by access with clear text to the real server. Any way to prevent and/or the best practice guide to implement this scenario.

##CSM

!

vserver test-web

virtual 1.1.1.1 tcp 8080

serverfarm test-server

inservice

!

vserver test-ssl

virtual 1.1.1.1 tcp https

serverfarm SSL-TRAFFIC

inservice

!

serverfarm SSL-TRAFFIC

real 2.2.2.2

inservice

!

serverfarm test-server

real 3.3.3.3

inservice

!

##SSL

!

interface SSL-Proxy0.111

encapsulation dot1Q 111

ip address 2.2.2.2 255.255.255.0

!

ssl-proxy context test

!

service test-SSL

virtual ipaddr 1.1.1.1 protocol tcp port 443 secondary

server ipaddr 2.2.2.10 protocol tcp port 8080

inservice

Thanks in advance,

Gilles Dufour · ‎10-18-2006

specify a vlan in the vserver.

This will allow only traffic coming from the ssl vlan.

If you have no client on this vlan, then you're good.

Otherwise, move the sslm to a vlan used only between csm-sslm and use the vlan id config under the vserver.

Gilles.

View solution in original post

Gilles Dufour · ‎10-18-2006

specify a vlan in the vserver.

This will allow only traffic coming from the ssl vlan.

If you have no client on this vlan, then you're good.

Otherwise, move the sslm to a vlan used only between csm-sslm and use the vlan id config under the vserver.

Gilles.

cjrchoi11 · ‎10-18-2006

Thanks a lot Gilles