Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

CSS SSL-proxy sends wrong port # embeded in HTTP Host Header

Load balancing works fine and so does SSL offloading. Sniffer traces show that host header sent to the server on TCP 81 has no port number appended to it as required by the HTTP RFC.

In current configuration, verified by a sniffer, TCP 443 hits the content rule and it sent to the SSL-PROXY where it is sent on TCP 81 clear text to the server. The server is listening on TCP 81 and the website reachable. Some scripts were failing so I checked the HTTP HOST Header tag in a sniffer trace and found that although I am sending it to TCP 81, the host header says:

HOST: DEV1.SITE.COM

When according to the RFC and other sniffer traces to working servers (not load balanced) it should show:

HOST: DEV1.SITE.COM:81

Is this a configuration problem, bug or feature? :)

Thanks!

Mike Kelley

mkelley@navisite.com

---- config attached -----

STGCSS1# sh ver

Version: sg0810002 (08.10.0.02)

!*********************** SSL PROXY LIST ***********************

(IP's changed to protect the innocent!).

ssl-proxy-list STG-SSL-PROXYLIST

ssl-server 20

ssl-server 20 rsakey dev1-key

ssl-server 20 rsacert DEV1.SITE.COM-CERT

ssl-server 20 vip address 100.100.100.203

ssl-server 20 cipher rsa-with-rc4-128-md5 100.100.100.203 81

ssl-server 20 cipher rsa-with-rc4-128-sha 100.100.100.203 81

ssl-server 20 cipher rsa-with-des-cbc-sha 100.100.100.203 81

ssl-server 20 cipher rsa-with-3des-ede-cbc-sha 100.100.100.203 81

ssl-server 20 cipher rsa-export1024-with-des-cbc-sha 100.100.100.203 81

ssl-server 20 cipher rsa-export1024-with-rc4-56-sha 100.100.100.203 81

active

!************************** SERVICE **************************

service STG-SSL-ACCEL

type ssl-accel

keepalive type none

slot 2

add ssl-proxy-list STG-SSL-PROXYLIST

active

!*************************** OWNER ***************************

owner STAGING

content dev1_443

application ssl

vip address 100.100.100.203

add service STG-SSL-ACCEL

protocol tcp

port 443

active

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: CSS SSL-proxy sends wrong port # embeded in HTTP Host Header

Mike,

this is a known limitation.

Nothing we can do about it right now.

Gilles.

2 REPLIES
Cisco Employee

Re: CSS SSL-proxy sends wrong port # embeded in HTTP Host Header

Mike,

this is a known limitation.

Nothing we can do about it right now.

Gilles.

Community Member

Re: CSS SSL-proxy sends wrong port # embeded in HTTP Host Header

Gilles,

Thanks for the quick respose!

Mike

324
Views
0
Helpful
2
Replies
CreatePlease to create content