07-05-2006 11:42 PM
Hi all,
Sorry if this is a stupid question( I am very new to CSS and could not find much doc ).
I am testing CSS and have configured CSS for SSL termination for my linux server with apache sitting behind CSS 11500. It works fine. for example when I give https://pirana.cohort.org from a client machine, it works. But when I give http://pirana.cohort.org the browser displays "400 Bad request" and asks me to use https://pirana.cohort.org instead. Now, my question is , how do I configure CSS so that all requests to http://pirana.cohort.org (i.e at port 80) is automatically forwarded to https://pirana.cohort.org (at port 443). After going through the docs, I found urlrewrite option and its still not working. Please note that there is no service running on port 80 of that linux box.
here is the relevant info
!*********************** SSL PROXY LIST ***********************
ssl-proxy-list 10
ssl-server 10
ssl-server 10 vip address 192.168.10.3
ssl-server 10 rsacert cacert.pem
ssl-server 10 rsakey cakey.pem
ssl-server 10 cipher rsa-export1024-with-des-cbc-sha 192.168.10.3 443
ssl-server 10 cipher rsa-export-with-rc4-40-md5 192.168.10.3 443 weight 5
ssl-server 10 urlrewrite 22 pirana.cohort.org sslport 443 clearport 80
description "This is the SSL list for pirana.cohort.org "
active
service ssl_srv1
add ssl-proxy-list 10
ip address 172.16.1.160
protocol tcp
port 443
active
!*************************** OWNER ***************************
owner locator
owner ssl1
content ssl_rule1
vip address 192.168.10.3
add service ssl_srv1
application ssl
advanced-balance url
string prefix "mycookie="
protocol tcp
port 443
active
content ssl_rule2
add service ssl_srv1
vip address 192.168.10.3
url "//pirana.cohort.org/*"
redirect "redirect for port 80"
protocol tcp
port 80
active
Could some one please advice me how to proceed to achieve this ? Any help would be greatly appreciated.
Regards,
Nasir
Solved! Go to Solution.
07-07-2006 11:27 PM
Nasir,
For the port 80 to port 443 redirection use the following config after removing your own redirection rule you got in your orginal config. url-rewrite is for someother purpose. Take a scanario like you use ssl in the front and clear http at the back, the browser prompts you that it enters into a non-secured region from the secured region. If you don't want to see the browser prompt, use 'url-rewrite'.
!************************** SERVICE **************************
service secure-transfer
ip address 2.2.2.2
keepalive type none
type redirect
no prepend-http
redirect-string "https://pirana.cohort.org"
active
!*************************** OWNER ***************************
owner ssl1
content default-redirect
vip address 192.168.10.3
protocol tcp
port 80
url "/*"
add service secure-transfer
active
Hope this will solve the issue.
thanks
07-14-2006 07:21 AM
Nasir,
I know you are using a bridge topology meaning one single ip subnet for both server & client side as well. Servers(CSS services) to have IP addresses same range as the Contnet Rule VIPs.
So, for content testct change the VIP address to the one you find not used elseware.
The CRule and the Source groups (under which the 'add destination sercvice' command to be placed) should have the same VIP address configured. Please correct this in my earlier config I gave.
More details, refer the following link.
CSS Load Balancing Using One Interface Configuration Example
thanks
07-07-2006 11:27 PM
Nasir,
For the port 80 to port 443 redirection use the following config after removing your own redirection rule you got in your orginal config. url-rewrite is for someother purpose. Take a scanario like you use ssl in the front and clear http at the back, the browser prompts you that it enters into a non-secured region from the secured region. If you don't want to see the browser prompt, use 'url-rewrite'.
!************************** SERVICE **************************
service secure-transfer
ip address 2.2.2.2
keepalive type none
type redirect
no prepend-http
redirect-string "https://pirana.cohort.org"
active
!*************************** OWNER ***************************
owner ssl1
content default-redirect
vip address 192.168.10.3
protocol tcp
port 80
url "/*"
add service secure-transfer
active
Hope this will solve the issue.
thanks
07-10-2006 02:59 AM
Thanx a lot for your reply. Now I have another (but different ) question. If you could, please give me an answer.
Is there any option which I can use just to let every request just "pass through" if it DOES NOT match any configured rule. For example, in my set up , I have a pix firewall and then CSS then Server Farm like follows,
PIX ---> CSS ---> Servers
Now PIX should pass everything (after the filering) to the CSS. And CSS should try to match it against the configured rules. If it doesn't match, then it should just "forward" to the server(as per the IP/URL in the incoming packet). Is this possible? if so, what is the way to do it ? Please help me out and thanx again for your time.
Regards,
Nasir
07-10-2006 03:28 PM
Nasir,
If it is a clear http traffic this is pretty simple to do. If you want to achieve through SSL, you can still do it though its bit complex. Same technique mentioned below, but you would use the backend Content rules for this purpose.
Create more than one Content Rule(CR) and on each CR mention the exact url. On one CR just don't mention the url that means you are implicitly allowing all urls that were not matched by the above CRs configured. See below. Think of the router, how the routing table entries and are used. The idea is that 'most specific match' used first for forwarding the traffic.
owner locator
content rule1
add service srv1
vip address 192.168.10.3
url "//pirana.cohort.org/test1/*"
protocol tcp
port 80
active
content rule2
add service srv1
vip address 192.168.10.3
url "//pirana.cohort.org/test2/*"
protocol tcp
port 80
active
content rule3
add service srv1
vip address 192.168.10.3
protocol tcp
port 80
active
Hope this would help you.
Thanks
07-13-2006 12:54 AM
Hi Skumar,
Thanx indeed again for your help. But I think I would elaborate a bit on my exact requirement. My network diagram is as follows,
PIX ---> CSS ---> SERVERS
Relevant info
Pix
External IP - X.X.100.59
Internal IP - 10.16.2.1
Servers
IP - 10.16.2.0 range(10.16.2.11, 10.16.2.13 etc)
CSS
Circuit VLAN1 IP - 10.16.2.2
Requirement:
Pix should pass everything to CSS(of course after proper filtering only). Then Whatever CSS gets, it should compare against the content rule and should do the either of these 2
1. If it matches against any content rule. It should forward it accordingly.
2. If it DOES NOT match against any content rule. It should simply forward the traffic to the original server as if it had not even seen the packet.
The first part is working fine. The second part is NOT working. Let me explain it with the help of an exmaple. I have a Nat/access rules configured to nat every request to port 1000 of the PIX public IP (X.X.138.59) to port 8080 of 10.16.2.13. In my CSS(just for testing) I added a rule to pass everything which comes to 10.16.2.13 port 8080 to pass to 10.16.2.11 port 9000. This works fine. Now I have another Nat/access rule in PIX to redirect every request to port 80 of X.X.138.59 to nat/permit to 10.16.2.11 port 80. Now my question is how to get the request to 10.16.2.11 port 80 (as translated by PIX) be passed through CSS to 10.16.2.11? what is the configuration needed for this? I understand that my CSS set up is in bride mode. Will it have any problem ? what is the difference between bridge mode router ?I would really appreciate if you could give me any suggestion or answer for these as I could not find any documenation for CSS other than the official guides which could not answer my questions(atleast in my reading)
this is my relevant show run output from CSS
!************************** SERVICE **************************
service app1
protocol tcp
port 9000
ip address 10.16.2.11
active
!*************************** OWNER ***************************
owner ssl1
owner wap
owner web
content testct
add service app1
vip address 10.16.2.13
protocol tcp
port 8080
active
!*************************** GROUP ***************************
group mynat
add destination service app1
vip address 10.16.2.100
active
Regards,
Nasir
07-13-2006 11:28 PM
Nasir,
The config I given below should work for your new requirement.
If you ask me what is the difference between the routing and bridging topology, read my other reply under subject name as "Group configuration in CSS"
!************************** SERVICE **************************
service app1
protocol tcp
port 9000
ip address 10.16.2.xx -----> Server ip address
active
!*************************** OWNER ***************************
owner ssl1
owner wap
owner web
content testct
add service app1
vip address 10.16.2.11
protocol tcp
port 80
active
!*************************** GROUP ***************************
group mynat
add destination service app1
vip address 10.16.2.100
active
thanks
thanks
07-14-2006 04:02 AM
Kumar,
I truly appreciate your willingness to help me ! But unfortunately my problem is not solved yet. In the configuartion you mentioned there is only difference from that of my exisiting one. That is under "content testct" vip address is 10.16.2.11(app1 machine) in your configuration. But in my (existing) configuration, its 10.16.2.13(app2 machine). Now I tried to change it to 10.16.2.11 and its giving one error as follows,
CSS11501(config-owner-content[web-testct])# vip address 10.16.2.11
%% VIP address conflicts with local I/F,service,APP, or mgmt route
I will just brief my requirement again. Whatever request comes from clients (through PIX) to the CSS, it should try to match against the rules and if not match occurs, it should simply forward it to the server address and port specified in the request.
I am really lost at this point . Please suggest me what to do.
Regards,
Nasir
07-14-2006 07:21 AM
Nasir,
I know you are using a bridge topology meaning one single ip subnet for both server & client side as well. Servers(CSS services) to have IP addresses same range as the Contnet Rule VIPs.
So, for content testct change the VIP address to the one you find not used elseware.
The CRule and the Source groups (under which the 'add destination sercvice' command to be placed) should have the same VIP address configured. Please correct this in my earlier config I gave.
More details, refer the following link.
CSS Load Balancing Using One Interface Configuration Example
thanks
07-19-2006 01:34 AM
Kumar,
Thanx a lot for your help. In fact the material you pointed out is just what I was looking for(its funny that it eluded all my googling :-) . Now its working and I was testing it. So far so good.If there is anything more I will disturb you again.
Thanx again
Nasir
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide