Sorry Server and Maintenance ACL

rgeerkens · ‎08-31-2006

Hi,

We have the following CCS 11500 with ssl offload.

Version: sg0750103 (07.50.1.03)

Flash (Locked): 07.20.0.03

Flash (Operational): 07.50.1.03

Type: PRIMARY

Licensed Cmd Set(s): Standard Feature Set

I was wondering if the following is possible :

Environment :

-> Sorryserver(url http://sorryserver.corporate.be)

-> content 1 (http) : service 1

-> content 2 (https) : service 2

-> Maintenance IP range : 10.10.10.x

I want to create a sorry server based on a redirect that is able to redirect the requests for both contents (is this possible, it works for http, but redirecting https to http doesn't seem to work (I'm sure I'm missing somthing)).

The service I had in mind is something like this :

service Sorry_Service

ip address 2.2.2.2

keepalive type none

type redirect

no prepend-http

redirect−string "http://sorryserver.corporate.be"

active

Second thing I would like to implement (I don't know if this works) is a Maintenance ACL for both backend servers. The idea is that when our system administrators do maintenance I would like to enable an acl so users can be redirected to the sorry-server, but the admins themself still can connect through the appropriate content rule

I was thinking about (I don't really know if it is possible to enforce multiple acl's because all the examples I have found only show one acl) somthing like this :

acl 1

clause 10 permit tcp 10.10.10.0 destination content OWNER/Content1 prefer service1

clause 20 permit tcp any destination content OWNER/Content1 prefer Sorry_Service

clause 99 permit any any destination any

apply all

acl 2

clause 10 permit tcp 10.10.10.0 destination content OWNER/Content2 prefer service2

clause 20 permit tcp any destination content OWNER/Content2 prefer Sorry_Service

clause 99 permit any any destination any

apply all

This way I could enable an ACL whenever Maintenance is planned. Is this possible or am I seeing things to simple ?

Any suggestions would be appricated.

Kind regards,

Ronny

Gilles Dufour · ‎08-31-2006

Ronny,

the ACL is ok.

For redirecting HTTPS, you first need an ssl module or ssl offloader.

The CSS can't decrypt HTTPS traffic without the ssl module. And so, it can't also encrypt an HTTP redirect.

Gilles.

rgeerkens · ‎08-31-2006

Gilles,

Thanks for the info. Just to be sure, You mean I have to redirect by sending the request through the ssl-module. This would mean a config like :

ssl-proxy-list COMPANY

ssl-server 111 vip address 1.1.1.1

ssl-server 111 unclean-shutdown

ssl-server 111 cipher rsa-with-rc4-128-md5 1.1.1.1 80

ssl-server 111 rsakey companykey

ssl-server 111 rsacert companycert

active

service Sorry_Service

ip address 2.2.2.2

keepalive type none

type redirect

no prepend-http

redirect−string "http://sorryserver.corporate.be"

active

content Ssl_Redirect

add service ssl_module

advanced-balance ssl

protocol tcp

application ssl

vip address 1.1.1.1

port 443

active

content Http_Redirect

vip address 1.1.1.1

protocol tcp

port 80

url "/*"

add service Sorry_Service

active

Is this what you mean ? Because the problem I have with this, is that the request will be mapped against the certificate provided by de CSS (So making this company wide (multple domains) will imply an configuration for every domain.

Is this conclusion correct.

Kind regards,

Ronny

Gilles Dufour · ‎08-31-2006

Ronny,

that's what I had in mind.

So you will need to implement it for every domain unless you get a wildcard certificate.

Gilles.