09-28-2007 03:37 PM
Hi, I installed and associated my cert on my CSS, but am having problems getting it working...
What I need is to be able to browse FROM my web server 192.168.10.1 to a specific website which provided me with the cert 'myRSAcert' below. I have implemented the below but when I browse to the website it says I have no cert installed. I have not configured anything locally on the server, I have only configured on the CSS.
Here is what I have done on the CSS:
I have set up my 443 content rule:
content myContentRule443
vip address 194.10.0.1
port 443
add service ssl_test
active
I have added my service:
service ssl_test
type ssl-accel
slot 2
keepalive type none
add ssl-proxy-list ssl_list
active
I have added an ssl-server in my ssl_list:
ssl-server 50
ssl-server 50 vip 194.10.0.1
ssl-server 50 rsakey myRSAkey
ssl-server 50 rsacert myRSAcert
cipher rsa-with-rc4-128-md5 194.10.0.1 80
active
I have set up my 80 content rule:
content myContentRule80
vip address 194.10.0.1
port 80
add service server1
active
I have set up my internal web server:
service server1
keepalive type http
keepalive port 80
keepalive freq 6
protocol tcp
port 80
ip address 192.168.10.1
active
Am I correct in this general set up, or have I missed anything out?
Can anyone please help?
09-29-2007 03:15 PM
Hi,
Please add this command:
content myContentRule443
vip address 194.10.0.1
port 443
add service ssl_test
application ssl < -- add this
active
This command should make it work, if service server1 is alive.
If you do a http request on port 80, does it works?
- Rodrigo.
09-30-2007 12:47 AM
ok, ignore the other comment about application ssl. That's not required.
If I understand correctly the source of the traffic is 192.168.10.1.
But from your config, this is also the destination.
Is this correct ?
If you want the browser to be able to open a connection to the vip, you need to configure client nat using a 'group'.
I can assist you with this if that's what you need.
But, if you want to do SSL initiation - the source sends cleartext request and the CSS encrypts everything before forwarding to a remote server, then your config is wrong.
Please, let us know what you need exactly.
Gilles.
09-30-2007 03:18 AM
I am looking to browse to a website (157.50.10.1) from my local server (192.168.10.1). My VIP is 194.10.0.1
In order for me to browse to this website I am required to have a cert, which I have requested and installed - myRSAcert.
Am I missing anything?
Thanks
09-30-2007 09:38 PM
so, you want the CSS to encrypt the traffic on behalf of the server.
This is called ssl initiation and you're missing everything in your config.
See how to do ssl initiation at
Gilles.
10-01-2007 07:11 AM
Hi, thanks for your help. I have looked through this and this is what I came up with:
1. Create a backend server, defining my Virtual backend (192.168.25.1) and the Server I connect to externally (154.10.1.1)
ssl-proxy-list ssl_list1
backend-server 50
backend-server 50 type initiation
backend-server 50 ip address 192.168.25.1 (INTERNAL - my virtual backend ssl server)
backend-server 50 server-ip 154.10.1.1 (EXTERNAL - ip of the website I am looking to browse to)
backend-server 50 rsacert myRSAcert
backend-server 50 rsakey myRSAkey
2. Add an SSL service:
service myService1
type ssl-init
ip address 192.168.25.1
slot 2
keepalive type none
add ssl-proxy-list ssl_list1
active
3. Add a content rule:
owner ContentRules
content myContentRule1
add service myService1
vip address 192.168.25.2
protocol tcp
port 80
active
It still doesn't work, I am wondering am I missing anything else here?
Thanks so much for your help.
10-02-2007 03:01 AM
you also need to set the cipher:
backend-server 50 cipher rsa-with-rc4-128-sha
If that does not work after that,
get us a 'show summary' and 'show ssl statistics' before and after opening a connection.
Capture a trace on your server and a simultanous trace on the other side of the CSS.
Gilles.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide