Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

SSL & URL Problem

I have a customer who requires client access to specific SSL / https content on different servers using different TCP port numbers.

Using standard http we used the 'url' command in the content rules as follows:

url "/scripts/wgate/webgui_TST*"

However, when we try this in a content rule using SSL it doesn't work as (I presume) the SSL Hello never gets responded to.

I have seen a few messages already posted highlighting this problem.. Does anyone have any suggestions on workaround options..? Is there a way to redirect SSL / https traffic.?

My contnent rule for standard http looks as follows:

content standard-http

add service sss02-83

add service sss03-83

vip address xxx.xxx.xxx.xxx

balance aca

protocol tcp

port 80

url "/scrs/wate/webgui_STS*"

advanced-balance arrowpoint-cookie

active

I need to do the same but using SSL..

Any help would be appreciated.

Cheers....J Pepper

EDS

5 REPLIES
Community Member

Re: SSL & URL Problem

John,

With SSL traffic, the CSS cannot see the URL. The only systems that can see the URL are the SSL server and the SSL client.

With that in mind, the only things we can load balance SSL on is the TCP port and IP address. Any layer 5 information is encrypted.

-Steve

Community Member

Re: SSL & URL Problem

Steve,

Thanks for the reply.

We did come up with a workaround using the 'redirect' command in the main http Contnet Rules. This 'redirected' user traffic to a different url which in turn pointed at a Contnet Rule / VIP configured for SSL. This means users only ever had to remember specific business http url's

An extract from our test config is shown below. It seems to work ok. Do you see this as a valid configuration.?

content abc-http

vip address 192.168.1.100

balance aca

protocol tcp

port 80

url "/scs/ate/gui_TST*"

advanced-balance arrowpoint-cookie

redirect "https://wwwtst.tst.zero.com/scs/ate/gui_TST/!"

active

content ssl-abc

add service ssl-as02-ts-port-1443

add service ssl-as03-ts-port-1443

advanced-balance ssl

application ssl

balance aca

vip address 192.168.1.101

protocol tcp

port 443

url "/*"

active

Cheers...John

Community Member

Re: SSL & URL Problem

John,

That config is valid. You just need to make sure all the SSL (HTTPS) links have the proper host name that resolves to the .101 address. Also, make sure the SSL cert has a "cn" field with the proper domain name. If it does not match, then the user will get a warning message on the browser stating the domain names don't match.

-Steve

Cisco Employee

Re: SSL & URL Problem

to complete Steve answer, you can alsu use an SSL offloader to decrypt the traffic for the CSS so the CSS can see the url and http header.

The CSS11500 can receive an ssl module to do the ssl encryption/decryption.

You can also use a SCA as an external SSL offloader.

Regards,

Gilles.

Community Member

Re: SSL & URL Problem

Steve / Giles,

Thanks for the responses, much appreciated and helpful information.

Cheers...John

214
Views
0
Helpful
5
Replies
CreatePlease to create content