Showing results for 
Search instead for 
Did you mean: 

CSS and service type redirect to change dest port ?



I was reading this article and was wondering if it's possible to use the service 'type redirect' and domain to redirect to a different port?

For example, is the below config valid? Basically i want incoming requests for on 443 to be rewritten to port 444. In the service I've used both the 'port 444' and prepended :444 to the domain as i wasn't sure which if either would have the desired effect.

My hope is that the request will come in on and hit the L5 content rule which will send it to the secure-transfer service to be redirected to port 444 which goes back to the other L5 rule and off to the ssl_module service.

If this won't work, is there another way of making it work?

service secure-transfer
  ip address
  keepalive type none
  type redirect
  no prepend-http
  port 444

owner test

  content default-redirect
    vip address
    protocol tcp
    port 443
    url "//*"
    add service secure-transfer

  content TEST_TCP443_L5
    vip address
    protocol tcp
    port 444
    url "//*"
    add service ssl_module1

Many thanks


2 Replies 2

Daniel Arrondo Ostiz
Cisco Employee
Cisco Employee

Hi Scott,

At first sight, I don't see anything wrong with the redirection service. To set the port for this redirection, the correct way to do it would be adding the port information at the end of the url. The "port" command will be ignored for redirection services.

For the other part, I see one problem. In both content rules, you are trying to match on a specific url, but, if I understood it correctly, both will be dealing with SSL traffic. In that case, since traffic is encrypted, the CSS will not be able to match the URL and all requests will be dropped. If you need to do L5 processing on a SSL connection, you first need to setup SSL termination to decrypt the traffic.



ahhh forgot about that, thanks Daniel.

My reason for trying this is to try and use one public IP for multiple SSL enabled backend servers without having to ask the dev's to change their code to use a differnt port.

I know that in the ssl proxy lists you can have multiple entries use the same IP as long as the port is differnt so differentiate between certificates so i thought i could be clever and let them continue using port 443 but have the CSS detect the url and then transparently redirect to another port like 444 in my case so the ssl proxy list would know the cert to use. But as you've pointed out, that won't work which is a shame.

oh well. It was a nice idea while it lasted

Unless anyone else knows a work around to this i guess i'll need to either use a 2nd public IP or ask them to change their code to use port 444 for ssl content.



Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers