cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1038
Views
0
Helpful
1
Replies

CSS11500 SSL handling question for multiple url/FQDNs with the same ip address

tim.metzinger
Level 1
Level 1

I know that it's possible on the CSS to handle multiple incoming HTTP requests that terminate on the same IP address and port and balance them to various servers based on the url.   For instance, I can set up www.cats.com and www.dogs.com at the same 192.168.35.12 address in DNS, and set up two different content rules:

content cats

vip address 192.168.35.12

port 80

url "//www.cats.com/*"

add server cats1

add server cats2

active

content dogs

vip 192.168.35.12

port 80

url "//www.dogs.com/*"

add server dogs1

add server dogs2

active.

Easy and straightforward.

But what if I want to add SSL handling for https://www.cats.com and https://www.dogs.com?

I'm not sure how to create the ssl-proxy-list where one content rule (ip address/port) combination needs to pass through the ssl module and get matched with the proper ssl certificate.

Can this be done?  Can one associate multiple certs and keys with a single ssl-server entry and a single ssl accelerator service?  Or do I have to create multiple ssl-proxy-lists for cats and dogs and build multiple ssl services each referring to a unique ssl-proxy-list, and then use the url parameter in the https content rule to determine which ssl service (and therefore which key/cert pair) gets the traffic?

Thanks in advance for any insights.

1 Reply 1

pablo.nxh
Level 3
Level 3

Hi Tim,

Unfortunately this is not possible; you can't associate multiple certificates to a single proxy list due to the fact that SSL handshake is done first with no visibility of the URL being requested, so the CSS won't know which public server to use in order to perform the traffic decryption.

But there are a couple of options that you may want to look at (depending on the URL string)

If your URLs are subdomains and you hold a wildcard SSL certficate to match multiple requests, i.e your domain being "pets.com" you can have a certficate that will match request for dogs.pets.com or cats.pets.com because the cert will be in the form *.pets.com

The second option is SAN (Subject alternative names) certificates; which give you the option to include up to 4 flavors of the domain within the same file, such as pets.com, pets.net, www.1pets.com.

I hope this helps.

__ __

Pablo

Review Cisco Networking for a $25 gift card