Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1456
Views
0
Helpful
2
Replies

CSS and service type redirect to change dest port ?

scottmcgillivray
Level 1
Level 1

‎03-04-2011 08:42 AM

Hi

I was reading this article http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_configuration_example09186a00801de8d6.shtml and was wondering if it's possible to use the service 'type redirect' and domain to redirect to a different port?

For example, is the below config valid? Basically i want incoming requests for dev.com.domain.com on 443 to be rewritten to port 444. In the service I've used both the 'port 444' and prepended :444 to the domain as i wasn't sure which if either would have the desired effect.

My hope is that the request will come in on https://dev.com.domain.com and hit the L5 content rule which will send it to the secure-transfer service to be redirected to port 444 which goes back to the other L5 rule and off to the ssl_module service.

If this won't work, is there another way of making it work?

service secure-transfer
  ip address 2.2.2.2
  keepalive type none
  type redirect
  no prepend-http
  port 444
  domain https://dev.com.domain.com:444
  active

owner test

  content default-redirect
    vip address 1.1.1.1
    protocol tcp
    port 443
    url "//dev.com.domain.com/*"
    add service secure-transfer
    active

  content TEST_TCP443_L5
    vip address 1.1.1.1
    protocol tcp
    port 444
    url "//dev.com.domain.com/*"
    add service ssl_module1
    active


Many thanks

Scott

Labels:
0 Helpful
2 Replies 2

Daniel Arrondo Ostiz
Cisco Employee
Cisco Employee

‎03-07-2011 02:07 AM

Hi Scott,

At first sight, I don't see anything wrong with the redirection service. To set the port for this redirection, the correct way to do it would be adding the port information at the end of the url. The "port" command will be ignored for redirection services.

For the other part, I see one problem. In both content rules, you are trying to match on a specific url, but, if I understood it correctly, both will be dealing with SSL traffic. In that case, since traffic is encrypted, the CSS will not be able to match the URL and all requests will be dropped. If you need to do L5 processing on a SSL connection, you first need to setup SSL termination to decrypt the traffic.

Regards

Daniel

0 Helpful

scottmcgillivray
Level 1
Level 1
In response to Daniel Arrondo Ostiz

‎03-07-2011 02:26 AM

ahhh forgot about that, thanks Daniel.

My reason for trying this is to try and use one public IP for multiple SSL enabled backend servers without having to ask the dev's to change their code to use a differnt port.

I know that in the ssl proxy lists you can have multiple entries use the same IP as long as the port is differnt so differentiate between certificates so i thought i could be clever and let them continue using port 443 but have the CSS detect the url and then transparently redirect to another port like 444 in my case so the ssl proxy list would know the cert to use. But as you've pointed out, that won't work which is a shame.

oh well. It was a nice idea while it lasted

Unless anyone else knows a work around to this i guess i'll need to either use a 2nd public IP or ask them to change their code to use port 444 for ssl content.

thanks

Scott

0 Helpful
Customers Also Viewed These Support Documents