Re: SSL and back-end configuration

csbowser · ‎07-12-2004

Hey guys. Can I solicit some help on SSL and a CSS 11500?

First question: Does SSL proxying require a module? Can I do back-end SSL without a module? If I can, what performance impact could I expect on an 11501 with two SSL content rules? Would I see the same performance hit on an 11503?

Second question: Are there step-by-step (CSS for dummies) for how to set up SSL back-end services? Found some docs online about SSL, key generation, etc., but I'm afraid logic is missing from the directions. (i.e you could do this, but would you want to!).

Here's the scenario. I have a customer I promised URL direction for multiple sites. Seems he is using SSL though, so I need to learn how to do this and bring him up quickly. There is one service running on a server, listening on 443. This web app links to several other internal servers- all ssl. My goal is to have one VIP service all the links – so, I need to terminate the SSL, look at the header, then encrypt and send the traffic on. I don't have too much time to make this guy wait, so my question appears here now.

So if I have:

service web-server1

ip 10.1.1.1

protocol tcp

act

service web-server2

ip 10.1.1.2

protocol tcp

act

service web-server

ip 10.1.1.3

protocol tcp

act

service web-application

ip 10.1.1.4

protocol tcp

act

owner Web-guy

content Web-app

vip address 11.1.1.1

port 443

url “/websa/*”

add service web-application

act

content Monitor-one

vip address 11.1.1.1

port 443

url “/serverone/*”

add service web-server1

act

content Monitor-two

vip add 11.1.1.1

port 443

url “/servertwo/*”

add service web-server2

act

content Monitor-three

..you get the picture.

Questions:

This is all 'internal' traffic, so no official CA will be issuing a cert. Can I use RSA keys only? Is a cert necessary?

Can I do the back-end communication on 443? Config examples always seem to change the port and I'd rather not use non-standard ports on the servers.

A cook-book config on this would be great – I'll even send a Pennsylvania brew if you want. Again, I think this is a standard config – just haven't worked with SSL on the CSS's yet. I do have an SSL module I can install – just wondered if it was necessary for those CSS's that will only have one or two ssl sessions.

Thanks,

Chad Bowser

mrembetsy · ‎07-12-2004

I haven't worked with proxy on the CSS alot but we do have SSL running on our CS-100's and CS-150's. So the redirection to the url you are kind of on your own. What we do for SSL clients and what I suggest is to make a slight change to your services portion of your config.

So we have

service webserver1

ip address 10.1.1.4

protocol tcp

port 80

active

service webserver1-ssl

ip address 10.1.1.4

protocol tcp

port 443

active

then you can configure your content groups anyway you like. I think your services section should work but I have always specified the port that each service is using.

Hope this helps, and sorry I couldn't provide any more information

Mike

lynchp · ‎07-12-2004

This is a link to a document I have written for CCO. It explains backend SSL. You do need a module in the CSS inorder to do SSL decryption/encryption.

http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_example09186a0080220dab.shtml

mrembetsy · ‎07-12-2004

well you learn something new everyday, thanks this was great.

csbowser · ‎07-13-2004

Thanks for the response. In your document's config examples, it looks like you change the back-end communication ports to 81 and 8003. Can the default 80 and 443 be used here?

The rsacert certificate - is that the cert located on the end service (backend1, 2 and 3). Is the rsakey (privatekey) shared between the CSS and services?

Sorry if these questions are too simple, but I didn't find a document that explains why certain steps are done, and what has to be done on the end web server.

Thanks again.

Chad