09-13-2006 03:51 AM
We have our CSS devices configured for front-end SSL. One impact of this is that the back end servers see the VIP address of the SSL rule as the incoming client address. Is there are way to use the CSS for SSL offloading but passthrough the client IP address ?
Thanks in advance for replies.
cheers,
Mike
09-19-2006 05:47 AM
you can do it with HTTP header insert.
http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/css_750/cmdrefgd/cmdsslc.htm
Is there a URL rewrite function to rewrite all http:// traffic to https://for a given set of content? The "url rewrite" function that one can configure in the ssl-proxy-list only seems to cover redirects. The url rewrite only rewrite urls in SSL.
09-19-2006 06:17 AM
there is not.
The reason is that it would kill performances to inspect all traffic to do the rewrite.
I would suggest you rewrite your server to avoid direct link and replace them with relative path.
Gilles.
09-19-2006 06:15 AM
Mike,
this is happening because you have a group config to nat client ip address.
You probably have a one-armed design.
So, you can either use the other suggestion that was made to you and insert the client ip into the header, then reconfigure your server to extract the ip from the header.
Or, you can also do some redesign to avoid the one-armed config and get rid of client nat.
Gilles.
09-19-2006 11:44 PM
Gilles,
We do not have a one armed design or any NATing.
Traffic comes in on the VIP on Port 443, this is decrypted by the SSL module then sent to another VIP on clear text port 81 (which has an associated content rule pointing to the servers).
The server guys only see traffic coming in from the VIP address.
cheers,
Mike
09-20-2006 05:49 AM
Mike,
I'm telling you. This is not possible.
Send me your config and I'll show you where you do the nating.
Check if you have any "group <...>" config using a vip matching the one you see on the server.
If you do, suspend the group and you will see that the nating does not occur anymore.
Gilles.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide