topic Re: https front end and http backend in Application Networking

https front end and http backend

yycsandman007 — Tue, 15 Jan 2008 16:28:37 GMT

Hi there....I am having a small issue....I have a web app that is https based....I have installed the cert on the CSS, and DNS for this app points to the VIP....the client is wanting to have an https front end, and then load balance in http to the backend servers....the issue I am running into is that this only works if I have an active port 80 rule on that same VIP....if I suspend the port 80 rule and only leave the port 443 rule active on that VIP, it doesn't work....please see appropriate config portions below....Thanks in advance!

Sandeep

ANy suggestions? I have been trying this for a couple of days now...it works fine if the backend sessions are also https, but the client has changed their requirement....

ssl-proxy-list SSL1

ssl-server 1

ssl-server 1 rsakey app1-test

ssl-server 1 rsacert app1-test

ssl-server 1 vip address 10.19.55.10

ssl-server 1 cipher rsa-with-rc4-128-md5 10.19.55.10 81

backend-server 1

backend-server 1 port 81

backend-server 1 server-ip 10.19.55.132

backend-server 1 ip address 10.19.55.132

backend-server 2

backend-server 2 port 81

backend-server 2 server-ip 10.19.55.133

backend-server 2 ip address 10.19.55.133

backend-server 3

backend-server 3 port 83

backend-server 3 server-ip 10.19.55.132

backend-server 3 ip address 10.19.55.132

backend-server 4

backend-server 4 port 83

backend-server 4 server-ip 10.19.55.133

backend-server 4 ip address 10.19.55.133

backend-server 5

backend-server 5 port 85

backend-server 5 server-ip 10.19.55.132

backend-server 5 ip address 10.19.55.132

backend-server 6

backend-server 6 port 85

backend-server 6 server-ip 10.19.55.133

backend-server 6 ip address 10.19.55.133

active

service webserver002:81

ip address 10.19.55.132

port 81

keepalive port 2199

keepalive type tcp

protocol tcp

active

service webserver003:81

ip address 10.19.55.133

port 81

keepalive port 2199

keepalive type tcp

protocol tcp

add ssl-proxy-list SSL1

active

service webserver002:83

ip address 10.19.55.132

port 83

add ssl-proxy-list SSL1

keepalive port 2399

keepalive type tcp

protocol tcp

active

service webserver003:83

ip address 10.19.55.133

port 83

keepalive port 2399

keepalive type tcp

protocol tcp

add ssl-proxy-list SSL1

active

service webserver002:85

ip address 10.19.55.132

port 85

add ssl-proxy-list SSL1

keepalive port 2599

keepalive type tcp

protocol tcp

active

service webserver003:85

ip address 10.19.55.133

port 85

keepalive port 2599

keepalive type tcp

protocol tcp

add ssl-proxy-list SSL1

active

service SSL_Front

slot 2

type ssl-accel

keepalive type none

add ssl-proxy-list SSL1

active

owner app1-test

content app-test_back

vip address 10.19.55.10

add service webserver002:81

add service webserver003:81

add service webserver002:83

add service webserver003:83

add service webserver002:85

add service webserver003:85

balance aca

protocol tcp

port 81

active

content app1-test_front

vip address 10.19.55.10

application ssl

add service SSL_Front

protocol tcp

port 443

advanced-balance ssl

balance aca

active

Re: https front end and http backend

Diego Vargas — Tue, 15 Jan 2008 20:15:30 GMT

Hi,

Well I find this a little confusing. First of all I see clear traffic on port 81 and not 80, and you have a content rule in port 81, so I guess that is what you mean.

Now, it is expected that this will not work if you suspend the clear text rule since that this is the proper configuration.

You need to have the rule in port 443 to match traffic coming from the client and the clear text rule (port 81) to match traffic already decrypted coming from the SSL module

Re: https front end and http backend

yycsandman007 — Tue, 15 Jan 2008 20:26:17 GMT

Thanks for the quick reply....there is another port 80 rule setup for that vip....I was using that to test with the app until I got the front end https rules working....

my port 80 rules just says listen to 10.19.55.10 on port 80 and load balance btwn the webervers on port 8x in the back end...

I am trying to do https front end and http backend....

no where in my SSL config have I configured port 80....but when I suspend that rule it all fails....

I am wondering if the backend server sessions are happening properly?

I don't fully get what you mean by "You need to have the rule in port 443 to match traffic coming from the client and the clear text rule (port 81) to match traffic already decrypted coming from the SSL module"

Haven'tI done that?

Thanks again!

Sandeep

Re: https front end and http backend

Diego Vargas — Tue, 15 Jan 2008 20:36:49 GMT

Hi Sandeep,

Can I get the full config to see where is breaking out?

Thanks!!

Re: https front end and http backend

yycsandman007 — Tue, 15 Jan 2008 20:54:46 GMT

can you send me your email?

Re: https front end and http backend

Diego Vargas — Tue, 15 Jan 2008 20:56:45 GMT

You can send it to dmoravar@cisco.com or you can upload it here