CSS strange behaviour with SSL VIP and host headers inc a port

scottmcgillivray · ‎05-11-2012

Hi all,

I had the below config in place so TCP 443 traffic terminated on 20.20.20.20 and unencrypted traffic was sent onto backend servers via a content rule setup to listen on TCP 80 for IP address 10.10.10.10.

ssl-server 190

ssl-server 190 rsakey mysecurecert_key

ssl-server 190 rsacert mysecurecert_cert

ssl-server 190 cipher rsa-with-rc4-128-md5 10.10.10.10 80 weight 5

ssl-server 190 cipher rsa-with-rc4-128-sha 10.10.10.10 80 weight 4

ssl-server 190 vip address 20.20.20.20

If i used a browser and connected to the VIP 20.20.20.20:443 then all was good and everything worked as expected. However we have an application that specifies the port along with the host in the HTTP host header so rather than Host: 20.20.20.20 it would have Host: 20.20.20.20:443

For whatever reason when the host header has the port appended things brake and i'm not sure what the CSS does but the backend servers never receive any traffic. From the client end it seems to go through the client/server hello and at least sends the HTTPS request.

To fix this, i just changed the 10.10.10.10 to be 20.20.20.20 so the VIP was the same as the back-end content rule IP used with the cipher suite.

More out of curiosity than anything but is this a known bug or by design? I'm not sure why having the SSL VIP being different to the backend content rule IP would allow HTTP requests with just the host in the host header and not when there is a port appended ?

Thanks

Cesar Roque · ‎05-29-2012

Hi Scott,

Do you have a showtech of the CSS with the previous configuration???

-----------------------------------

Cesar R

--------------------- Cesar R ANS Team