04-06-2004 05:57 AM
I have a customer who requires client access to specific SSL / https content on different servers using different TCP port numbers.
Using standard http we used the 'url' command in the content rules as follows:
url "/scripts/wgate/webgui_TST*"
However, when we try this in a content rule using SSL it doesn't work as (I presume) the SSL Hello never gets responded to.
I have seen a few messages already posted highlighting this problem.. Does anyone have any suggestions on workaround options..? Is there a way to redirect SSL / https traffic.?
My contnent rule for standard http looks as follows:
content standard-http
add service sss02-83
add service sss03-83
vip address xxx.xxx.xxx.xxx
balance aca
protocol tcp
port 80
url "/scrs/wate/webgui_STS*"
advanced-balance arrowpoint-cookie
active
I need to do the same but using SSL..
Any help would be appreciated.
Cheers....J Pepper
EDS
04-06-2004 11:29 AM
John,
With SSL traffic, the CSS cannot see the URL. The only systems that can see the URL are the SSL server and the SSL client.
With that in mind, the only things we can load balance SSL on is the TCP port and IP address. Any layer 5 information is encrypted.
-Steve
04-07-2004 04:41 AM
Steve,
Thanks for the reply.
We did come up with a workaround using the 'redirect' command in the main http Contnet Rules. This 'redirected' user traffic to a different url which in turn pointed at a Contnet Rule / VIP configured for SSL. This means users only ever had to remember specific business http url's
An extract from our test config is shown below. It seems to work ok. Do you see this as a valid configuration.?
content abc-http
vip address 192.168.1.100
balance aca
protocol tcp
port 80
url "/scs/ate/gui_TST*"
advanced-balance arrowpoint-cookie
redirect "https://wwwtst.tst.zero.com/scs/ate/gui_TST/!"
active
content ssl-abc
add service ssl-as02-ts-port-1443
add service ssl-as03-ts-port-1443
advanced-balance ssl
application ssl
balance aca
vip address 192.168.1.101
protocol tcp
port 443
url "/*"
active
Cheers...John
04-07-2004 11:08 AM
John,
That config is valid. You just need to make sure all the SSL (HTTPS) links have the proper host name that resolves to the .101 address. Also, make sure the SSL cert has a "cn" field with the proper domain name. If it does not match, then the user will get a warning message on the browser stating the domain names don't match.
-Steve
04-07-2004 04:20 AM
to complete Steve answer, you can alsu use an SSL offloader to decrypt the traffic for the CSS so the CSS can see the url and http header.
The CSS11500 can receive an ssl module to do the ssl encryption/decryption.
You can also use a SCA as an external SSL offloader.
Regards,
Gilles.
04-07-2004 11:41 AM
Steve / Giles,
Thanks for the responses, much appreciated and helpful information.
Cheers...John
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide