topic Re: SSL full proxy configuration in Application Networking

SSL full proxy configuration

benjamingarcia — Fri, 07 Oct 2005 01:27:22 GMT

I am currently trying to setup a CSS11503 to perform SSL full proxy and there are some logic that I cannot understand.

Current configuration:

!*** SSL PROXY LIST*****

ssl-proxy-list SSL-LIST01

ssl-server 100

ssl-server 100 vip address 10.180.6.1

ssl-server 100 rsakey RSAKEYASSOCIATION1

ssl-server 100 rsacert CERTASSOCIATIO1

ssl-server 100 cipher rsa-with-rc4-128-sha 10.180.6.1 80

active

!**** SERVICE *******

service MYDEVSERVER01

ip address 10.180.7.35

active

service MYDRSERVER01

ip address 10.180.6.35

port 80

active

service MYDRSERVER02

ip address 10.180.6.37

port 80

active

service SSL-MODULE01

type ssl-accel

keepalive type none

slot 3

add ssl-proxy-list SSL-LIST01

active

!***** OWNER ********

owner OWNER

Address Quiapo-Avenida

content DEVSERVERS

vip address 10.180.6.3

balance weightedrr

add service MYDEVSERVER01

protocol tcp

active

content DRSERVERS-HTTP-RULE

vip address 10.180.6.1

protocol tcp

port 80

balance aca

add service MYDRSERVER02

add service MYDRSERVER01

content DRSERVERS-SSL-RULE

vip address 10.180.6.1

balance aca

application ssl

protocol tcp

port 443

add service SSL-MODULE01

active

Questions:

1. is the above config is enough to function as SSL Transparent Proxy?

2. which part of the configuration that tells the CSS to send the port80 traffic to the webserver?

3. to make the above config to function as full proxy, do I need to configure a source group?

4. On source group

4.1 What VIP address to use

4.2 Which service to add, is it the SSL service or the normal service for HTTP

Any help is appreciate.

Thanks

Benjamin

Re: SSL full proxy configuration

Gilles Dufour — Fri, 07 Oct 2005 06:51:51 GMT

1..yes

2.. HTTPS traffic will hit rule DRSERVERS-SSL-RULE which will forward the traffic to the ssl module.

It will be decrypted and forwarded back to ssl to ip 10.180.6.1 and port 80 [according to your cipher command in the ssl-proxy-list].

It will then hit rule DRSERVERS-HTTP-RULE and traffic will be loadbalanced between services configured under that rule.

3.. sourcegroup are only required if you need to nat the client ip address.

So, if your servers do not forward the traffic back to the CSS, doing client nat is a way to force traffic to come back to the CSS.

4.1. you can reuse the same content rule ip address.

This address will be used to nat the client ip.

It can be whatever address as long as your network knows it belongs to the CSS.

4.2. you should add the normal service - not the ssl service.

Regards,

Gilles.

Thanks for rating this answer.

Re: SSL full proxy configuration

benjamingarcia — Sun, 09 Oct 2005 22:09:20 GMT

Spot on Gilles. It's the answer that I am actually looking for.

Thanks mate.