Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

SSL Redirect Port ?

Hello All,

Im a litle confuse, and im not getting there.

I had this config scheme, and it works fine:

Every SSL Traffic is ended in SSL Module, and give it back to content as port 80.

It matchs the content HTTP-Aplj, and sends traffic to service esl0011-7777.

It works fine, with http and https.

Then i had tryed many unsucessefully times the following:

I want that http traffic goes just like the actual config, ending on backend servers on port 7777, but want the https traffic to be redirected to 4443.

I have done some trys on several parts of the configs, adding new services for 4443 port, ssl-proxy-list, and adding a new content.

I even got this message, when was trying to active the content SSL.Aplj:

%% Not all content VIP:Port combinations are configured in a ssl-proxy-list for sslAccel type of services

Please give me some ideias to achieve this goal.

The following config is the basic config for the 1st step. The working one.

Best Regards,

Bruno Petrónio

************** SSL-Proxy-List **************

ssl-server 90 vip address 10.1.2.136

ssl-server 90 urlrewrite 1 https:\\10.1.2.136

ssl-server 90 rsacert xxxxcert

ssl-server 90 rsakey xxxxkey

ssl-server 90 cipher rsa-export-with-rc4-40-md5 10.1.2.136 80

************** SERVICE **************

service MODSSL

slot 2

type ssl-accel

keepalive type none

add ssl-proxy-list ssl1

active

service esl0011-7777

ip address 10.1.1.120

port 7777

keepalive type http

keepalive port 7777

keepalive uri "/"

active

************** OWNER **************

owner Test

content HTTP-Aplj

vip address 10.1.2.136

port 80

protocol tcp

add service esl0011-7777

redundancy-l4-stateless

active

content SSL-Aplj

vip address 10.1.2.136

add service MODSSL

application ssl

advanced-balance ssl

protocol tcp

port 443

url "/*"

redundancy-l4-stateless

active

4 REPLIES
Cisco Employee

Re: SSL Redirect Port ?

try the following

ssl-server 90 vip address 10.1.2.136

ssl-server 90 urlrewrite 1 10.1.2.136

ssl-server 90 rsacert xxxxcert

ssl-server 90 rsakey xxxxkey

ssl-server 90 cipher rsa-export-with-rc4-40-md5 10.1.2.136 4443

service esl0011-4443

ip address 10.1.1.120

port 4443

keepalive type http

keepalive uri "/"

active

content HTTP-4443

vip address 10.1.2.136

port 4443

protocol tcp

add service esl0011-4443

active

BTW, I also corrected your urlrewrite command as it was incorrect. You need to specify the host. So not http or https in front.

Gilles.

New Member

Re: SSL Redirect Port ?

Great,

I have to tell i have tryed this config before, and it was not working.

Guess what, Oracle guys was changing things.

Many thanks Gilles,

I supose it will work fine.

I'm just wainting for clear time test.

I'll feedback later.

Best Regards,

Bruno Petrónio

New Member

Re: SSL Redirect Port ?

Once again,

Thanks a lot for your help.

Just a note, i realise u correct my urlrewrite ssl-server sentence. Thanks.

But i've all the ssl servers configured like the one i posted. If i change for the way u said, what should i expect ? This is working fine as it is.

Best Regards,

Bruno Petrónio

Cisco Employee

Re: SSL Redirect Port ?

Bruno,

are you sure the redirect function works ?

Are your servers sending HTTP 302 redirect messages ?

Did you see if they where correctly rewritten from http to https ? You may not see it if your browser does not inform you that you are switching to a non-secure page.

The urlredirect command normally take a hostname (or ip address) and it works by scanning the redirect message to find a lint that contains the string you have configured.

Nowhere in the message will you see what you have configured.

So, I would be surprised if it works.

Gilles.

483
Views
5
Helpful
4
Replies