Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
370
Views
10
Helpful
3
Replies

CSS11506 Help SSL config

dclee
Level 1
Level 1

‎05-10-2007 07:56 AM

Well, I was able to get the 11506 to proxy to different webservers based on URL statements. Now I am testing SSL reverse proxy. I have the SSL module installed. So I have one web server on port 80 behind the CSS. https://www.test.com resolves to the VIP of the CSS. I have created a self signed cert for test purposes. So it seems to be working about 80 percent as I get the prompt for the certificate and get to the login screen of the webserver, however as soon as I login, it puts me back to an HTTP url, so it works but it is no longer encrypted. If I take the http content rule out then I cant seem to get past the web server login prompt. I am a little confused as to whether or not I need the HTTP rule in addition to the SSL rules.

Here is the config

ssl associate rsakey myrsakey1 CSSrsakey1

ssl associate cert myrsacert1 CSScertfile1

ip route 0.0.0.0 0.0.0.0 192.168.20.1 1

!************************** CIRCUIT **************************

circuit VLAN1

ip address 192.168.20.20 255.255.255.0

!*********************** SSL PROXY LIST ***********************

ssl-proxy-list ssl-list

ssl-server 90

ssl-server 90 vip address 192.168.20.100

ssl-server 90 cipher rsa-with-des-cbc-sha 192.168.20.50 80

ssl-server 90 cipher rsa-with-3des-ede-cbc-sha 192.168.20.50 80

ssl-server 90 cipher rsa-with-rc4-128-sha 192.168.20.50 80

ssl-server 90 cipher rsa-with-rc4-128-md5 192.168.20.50 80

ssl-server 90 rsacert myrsacert1

ssl-server 90 rsakey myrsakey1

active

!************************** SERVICE **************************

service SSLWWW

type ssl-accel

slot 6

keepalive type none

add ssl-proxy-list ssl-list

active

service rprox1

ip address 192.168.20.50

protocol tcp

port 80

active

service rprox2

ip address 192.168.20.60

protocol tcp

port 80

!*************************** OWNER ***************************

owner CMPA

content HTTP_rule

add service rprox1

url "//www.test.com/*"

protocol tcp

port 80

vip address 192.168.20.100

active

content ssl

vip address 192.168.20.100

application ssl

add service SSLWWW

protocol tcp

port 443

active

owner clee

content redirect_rule_2

add service rprox2

vip address 192.168.20.100

url "//www.test1.com/*"

protocol tcp

port 80

CSS11506#

Any help is appreciated

Labels:
0 Helpful
3 Replies 3

diro
Level 1
Level 1

‎05-10-2007 09:16 AM

probably your getting an http redirect after login. To be sure this is the case you should sniff out the traffic. if this is the case then you should enable url rewrite.

dclee
Level 1
Level 1
In response to diro

‎05-10-2007 10:11 AM

Great thanks alot guys for the tip. Using the URL rewrite I am now able to keep the HTTPS session connection even after the login.

Cheers

Dave

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents