Backend SSL Help

dennis-hess — Mon, 05 Dec 2005 11:26:04 GMT

I tried to implement backend SSL over the weekend and was unsuccessful. I've read all the posts here on ssl back to January and I was sure I had a solid config. I saw lots of traffic hitting the ssl module but it would not pass to the backend content rule. I was getting no hits on the backend services. I've attached the config below. This is our production load balancers so I don't have a place to play with it. Does anyone spot anything glaringly wrong with this? I think it may be an acl issue but I didn't think traffic generated internally from the CSS to the backend ssl was subject to acls. Either that or a source NAT issue, or lack thereof as that's how we ensure traffic returns through the lb. There is an acl on the frontside that has applies NAT via a source group. Thanks!

ssl associate rsakey key key.pem

ssl associate cert cert cert.cer

ssl-proxy-list ssl_list3

ssl-server 10

ssl-server 10 port 50003

ssl-server 10 rsakey key

ssl-server 10 rsacert cert

ssl-server 10 cipher rsa-with-rc4-128-md5 192.168.254.10 81

ssl-server 10 vip address 10.100.24.11

backend-server 10

backend-server 10 cipher rsa-export-with-rc4-40-md5

backend-server 10 type backend-ssl

backend-server 10 ip address 10.100.8.225

backend-server 10 server-ip 10.100.8.225

backend-server 10 server-port 50003

backend-server 10 port 81

backend-server 20

backend-server 20 cipher rsa-export-with-rc4-40-md5

backend-server 20 type backend-ssl

backend-server 20 ip address 10.100.9.137

backend-server 20 server-ip 10.100.9.137

backend-server 20 server-port 50003

backend-server 20 port 81

service ssl_module3

type ssl-accel

keepalive type none

slot 3

add ssl-proxy-list ssl_list3

active

***Services***

service us6qpp01-50003

ip address 10.100.8.225

type ssl-accel-backend

port 81

add ssl-proxy-list ssl_list3

keepalive type ssl

keepalive port 50003

protocol tcp

active

service us6qpp02-50003

ip address 10.100.9.137

type ssl-accel-backend

port 81

add ssl-proxy-list ssl_list3

keepalive type ssl

keepalive port 50003

protocol tcp

active

***Content***

content PortalFront

protocol tcp

vip address 10.100.24.11

application ssl

advanced-balance ssl

add service ssl_module3

port 50003

active

content PortalBack

protocol tcp

port 81

url "/*"

vip address 192.168.254.10

add service us6qpp01-50003

add service us6qpp02-50003

advanced-balance arrowpoint-cookie

active

group group_backside_nat

vip address 10.100.24.129

active

clause 10 permit tcp any destination content Owner1/PortalFront sourcegroup group_backside_nat

clause 11 permit tcp any destination 10.100.24.11 eq 50003

Re: Backend SSL Help

Gilles Dufour — Mon, 05 Dec 2005 15:14:32 GMT

Everything coming out of the SSL module is consideed traffic coming into the CSS.

Therefore acl are applied to this traffic.

The source vlan is the same as for the traffic that entered the SSL module.

So you need a

clause 12 permit tcp any destination 192.168.254.10 eq 81

You may have to permit traffic to real as well. Can't remember for sure this part.

I assume you have to based on the rule mentioned above.

Regards,

Gilles.

Re: Backend SSL Help

dennis-hess — Mon, 05 Dec 2005 15:29:11 GMT

Thanks Gilles... that's the way it was looking to me but for some reason I was thinking since the processing for the backend ssl was internal to the lbs, it was not processed against the acls... I was just about to change the acls to test but my change window was up and I had to roll back... I'll let you know how it goes!

Thanks again for your input...

Dennis

topic Re: Backend SSL Help in Application Networking

Backend SSL Help

Re: Backend SSL Help

Re: Backend SSL Help