10-04-2002 12:23 PM
The website we're load-balancing with our CSS 11150 is an e-commerce site that will redirect the user to a SSL page which resides on the same server upon checkout. I was attempting to follow the tutorial given by this link (http://www.cisco.com/warp/public/117/converting_ssl_http.html ), but didn't quite understand the example given. More specifically, the page says:
"During the client's session, the transition is made to SSL port 443. This causes a new content rule to be hit and the client is load-balanced to another server. To prevent this from occurring, configure an HREF pointing the server back to itself:"
"<A HREF=https://ip_address/path> secure site </A>"
The PDF version of the document uses this URL:
"http://kbase.cisco.com/paws_data/16202/<A HREF="javascript:newWin('https://ip_address/path')>secure site</A>"
Besides the confusion that these conflicting results produce, I'm still not sure exactly what the URL is referencing.
An example of our setup is as follows:
(Public)
Arrowpoint IP: 123.123.123.215
Arrowpoint VIP: 123.123.123.220
(Private)
Arrowpoint IP: 10.0.0.1
WS-1: 10.0.0.2
WS-2: 10.0.0.3
Domain Name: http://www.our-domain.com
Based on this information, how would I construct the URL I would need to embed within our webpage in order to convert a HTTP session to SSL and stay stuck?
Thanks,
Andy
10-06-2002 04:33 AM
Andy,
In general what you want to happen is when the port 80 session is on a server and the client goes over to 443, you want your server to push the client back to the same server on 443 through another private vip.
So if you have 2 physical servers being load balanced, you would need 2 addional content rules configured as port 443 with a separate vip from the one you originally hit when you went to the server on 80
I'm not a webserver guy, but how ever you configure an HREF, you want to configure it to send the request to a vip which will inturn send it back to the server on 443 this time.
ie:
content public_vip
vip address 123.123.123.220
protocol tcp
port 80
add service WS-1
add service WS-2
active
content WS-1
vip address 123.123.123.221 <-- new vip for HREF to server #1
protocol tcp
port 443
add service WS-1
active
content WS-2
vip address 123.123.123.222 <-- new vip for HREF to server #2
protocol tcp
port 443
add service WS-2
active
The HREF on WS-1 will point to vip 123.123.123.221
The HREF on WS-2 will point to vip 123.123.123.222
Hope this makes more sense
Pete Knoops
Cisco Systems
10-11-2002 11:36 AM
A new issue has popped up in regards to going between protocols. While referencing a new VIP specifying a specific server worked for sticking an old http session to a new ssl session, we're losing that stickiness when the user clicks on a link that takes them back to a http link. We're using advance balance sticky-srcip for the content rules, and I thought that this would keep the user on the same server once an http session is resumed since their entry in the sticky table should still exist.
If possible, I would like to avoid using another two IP addresses as VIPs for http-server specific content rules since this would create a scaling nightmare once we start adding new servers behind the content switch. Is there another way to resolve this? Thanks.
-A.Hsu
10-11-2002 11:50 AM
In regards to my last post, here's our current setup:
!*************************** GLOBAL ***************************
bridge spanning-tree disabled
restrict telnet
ip route 0.0.0.0 0.0.0.0 10.0.0.1 1
!************************* INTERFACE *************************
interface e2
bridge vlan 2
interface e3
bridge vlan 2
!************************** CIRCUIT **************************
circuit VLAN1
description "External"
ip address 10.0.0.33 255.255.255.0
circuit VLAN2
description "Internal"
ip address 172.20.0.1 255.255.255.0
!************************** SERVICE **************************
service ws-1
ip address 172.20.0.31
protocol tcp
active
service ws-2
ip address 172.20.0.32
protocol tcp
active
!*************************** OWNER ***************************
owner arrowpoint
content vip-arrowpoint
protocol tcp
port 80
vip address 10.0.0.30
add service ws-1
add service ws-2
advanced-balance sticky-srcip
active
content ws-1-ssl
protocol tcp
port 443
vip address 10.0.0.31
add service ws-1
advanced-balance sticky-srcip
active
content ws-2-ssl
protocol tcp
port 443
add service ws-2
vip address 10.0.0.32
advanced-balance sticky-srcip
active
!*************************** GROUP ***************************
group arrowpoint
add service ws-1
add service ws-2
vip address 10.0.0.30
active
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: