Great thanks for the reply.

I still do not understand another thing. For the backend configuration, CSS is acting as client, so the backend server has to use https also? Is it right?

Can I open port 443 to listen backend server to contact me?

Please advice.

Many regards

My question is similar wrt the single active ssl-accel service:

I have many virtual servers (different vip/port combos) and many backend servers listening on different ports. For example,

• vip1/443 maps to server1/80
• vip2/443 maps to server2/80
• vip2/444 maps to server2/81

My (no doubt flawed) understanding is that I would need multiple ssl-proxy-lists and ssl-accel services to handle this:

ssl-proxy-list vip1-list

  ssl-server 10

  ssl-server 10 vip address 192.168.1.1

  ...

  ssl-server 10 cipher rsa-with-rc4-128-md5 10.10.1.1 80

  active

ssl-proxy-list vip2-443-list

  ssl-server 20

  ssl-server 20 vip address 192.168.1.2

  ...

  ssl-server 20 cipher rsa-with-rc4-128-md5 10.10.1.2 80

  active

ssl-proxy-list vip2-444-list

  ssl-server 30

  ssl-server 30 vip address 192.168.1.2

  ssl-server 30 port 444

  ...

  ssl-sserver 30 cipher rsa-with-rc4-128-md5 10.10.1.2 81

  active

service serv1

  type ssl-accel

  slot 2

  add ssl-proxy-list vip1-list

  keepalive type none

  active

service serv2-443

  type ssl-accel

  slot 2

  add ssl-proxy-list vip2-443-list

  keepalive type none

  active

service serv2-444

  type ssl-accel

  slot 2

  add ssl-proxy-list vip2-444-list

  keepalive type none

  active

This obviously would not work so please tell me what am I missing?

Thanking you in advance.

julxu to answer your question, yes when backend-ssl is configured on the CSS the load balancer acts as both an SSL server and SSL client.  SSL server to the client establishing an HTTPS connection to the VIP, and SSL client when communicating to the backend webserver.  The backend server will need to use port 443 unless you have an alternate SSL port configured on the server.  The CSS will use the default HTTPS (port 443) when communicating to the backend webserver with backend-ssl.

COLIN WU to answer your question, as Gilles mentioned you can have only one ssl-proxy service active per SSL module but multiple services can be configured under the same ssl-proxy-list.  However, your configuration will not work as you cannot have the SAME VIP address configured for 2 ssl-servers within a proxy-list or multiple proxy-lists.

- Jason Espino

Actually I can have the same vip, but not the same vip/port combination. For what I wanted to achieve in my example above the following ssl-proxy-list will work:

ssl-proxy-list test-list

  ssl-server 10

  ssl-server 10 vip address 192.168.1.1

  ...

  ssl-server 10 cipher rsa-with-rc4-128-md5 10.10.1.1 80

  ssl-server 20

  ssl-server 20 vip address 192.168.1.2

  ...

  ssl-server 20 cipher rsa-with-rc4-128-md5 10.10.1.2 80

  ssl-server 30

  ssl-server 30 vip address 192.168.1.2

  ssl-server 30 port 444

  ...

  ssl-sserver 30 cipher rsa-with-rc4-128-md5 10.10.1.2 81

  active

Note that ssl-server 20 and ssl-server 30 both have the same vip but are listening on port 443 and 444, respectively.

I must confess I found the answer to my original question in another thread: https://supportforums.cisco.com/thread/2004313?tstart=0

Hello Colin,

I apologize about my oversight. I didn't notice the altnerate ssl port defined within the ssl-server 30's configuration.

Thank you for the update!

Regards,

Jason

Jason,

No need to apologize. It's easy enough to miss.