08-31-2006 03:52 AM
Hi,
We have the following CCS 11500 with ssl offload.
Version: sg0750103 (07.50.1.03)
Flash (Locked): 07.20.0.03
Flash (Operational): 07.50.1.03
Type: PRIMARY
Licensed Cmd Set(s): Standard Feature Set
I was wondering if the following is possible :
Environment :
-> Sorryserver(url http://sorryserver.corporate.be)
-> content 1 (http) : service 1
-> content 2 (https) : service 2
-> Maintenance IP range : 10.10.10.x
I want to create a sorry server based on a redirect that is able to redirect the requests for both contents (is this possible, it works for http, but redirecting https to http doesn't seem to work (I'm sure I'm missing somthing)).
The service I had in mind is something like this :
service Sorry_Service
ip address 2.2.2.2
keepalive type none
type redirect
no prepend-http
redirect−string "http://sorryserver.corporate.be"
active
Second thing I would like to implement (I don't know if this works) is a Maintenance ACL for both backend servers. The idea is that when our system administrators do maintenance I would like to enable an acl so users can be redirected to the sorry-server, but the admins themself still can connect through the appropriate content rule
I was thinking about (I don't really know if it is possible to enforce multiple acl's because all the examples I have found only show one acl) somthing like this :
acl 1
clause 10 permit tcp 10.10.10.0 destination content OWNER/Content1 prefer service1
clause 20 permit tcp any destination content OWNER/Content1 prefer Sorry_Service
clause 99 permit any any destination any
apply all
acl 2
clause 10 permit tcp 10.10.10.0 destination content OWNER/Content2 prefer service2
clause 20 permit tcp any destination content OWNER/Content2 prefer Sorry_Service
clause 99 permit any any destination any
apply all
This way I could enable an ACL whenever Maintenance is planned. Is this possible or am I seeing things to simple ?
Any suggestions would be appricated.
Kind regards,
Ronny
08-31-2006 04:45 AM
Ronny,
the ACL is ok.
For redirecting HTTPS, you first need an ssl module or ssl offloader.
The CSS can't decrypt HTTPS traffic without the ssl module. And so, it can't also encrypt an HTTP redirect.
Gilles.
08-31-2006 04:57 AM
Gilles,
Thanks for the info. Just to be sure, You mean I have to redirect by sending the request through the ssl-module. This would mean a config like :
ssl-proxy-list COMPANY
ssl-server 111 vip address 1.1.1.1
ssl-server 111 unclean-shutdown
ssl-server 111 cipher rsa-with-rc4-128-md5 1.1.1.1 80
ssl-server 111 rsakey companykey
ssl-server 111 rsacert companycert
active
service Sorry_Service
ip address 2.2.2.2
keepalive type none
type redirect
no prepend-http
redirect−string "http://sorryserver.corporate.be"
active
content Ssl_Redirect
add service ssl_module
advanced-balance ssl
protocol tcp
application ssl
vip address 1.1.1.1
port 443
active
content Http_Redirect
vip address 1.1.1.1
protocol tcp
port 80
url "/*"
add service Sorry_Service
active
Is this what you mean ? Because the problem I have with this, is that the request will be mapped against the certificate provided by de CSS (So making this company wide (multple domains) will imply an configuration for every domain.
Is this conclusion correct.
Kind regards,
Ronny
08-31-2006 11:46 AM
Ronny,
that's what I had in mind.
So you will need to implement it for every domain unless you get a wildcard certificate.
Gilles.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide