10-06-2005 06:27 PM
I am currently trying to setup a CSS11503 to perform SSL full proxy and there are some logic that I cannot understand.
Current configuration:
!*** SSL PROXY LIST*****
ssl-proxy-list SSL-LIST01
ssl-server 100
ssl-server 100 vip address 10.180.6.1
ssl-server 100 rsakey RSAKEYASSOCIATION1
ssl-server 100 rsacert CERTASSOCIATIO1
ssl-server 100 cipher rsa-with-rc4-128-sha 10.180.6.1 80
active
!**** SERVICE *******
service MYDEVSERVER01
ip address 10.180.7.35
active
service MYDRSERVER01
ip address 10.180.6.35
port 80
active
service MYDRSERVER02
ip address 10.180.6.37
port 80
active
service SSL-MODULE01
type ssl-accel
keepalive type none
slot 3
add ssl-proxy-list SSL-LIST01
active
!***** OWNER ********
owner OWNER
Address Quiapo-Avenida
content DEVSERVERS
vip address 10.180.6.3
balance weightedrr
add service MYDEVSERVER01
protocol tcp
active
content DRSERVERS-HTTP-RULE
vip address 10.180.6.1
protocol tcp
port 80
balance aca
add service MYDRSERVER02
add service MYDRSERVER01
content DRSERVERS-SSL-RULE
vip address 10.180.6.1
balance aca
application ssl
protocol tcp
port 443
add service SSL-MODULE01
active
Questions:
1. is the above config is enough to function as SSL Transparent Proxy?
2. which part of the configuration that tells the CSS to send the port80 traffic to the webserver?
3. to make the above config to function as full proxy, do I need to configure a source group?
4. On source group
4.1 What VIP address to use
4.2 Which service to add, is it the SSL service or the normal service for HTTP
Any help is appreciate.
Thanks
Benjamin
10-06-2005 11:51 PM
1..yes
2.. HTTPS traffic will hit rule DRSERVERS-SSL-RULE which will forward the traffic to the ssl module.
It will be decrypted and forwarded back to ssl to ip 10.180.6.1 and port 80 [according to your cipher command in the ssl-proxy-list].
It will then hit rule DRSERVERS-HTTP-RULE and traffic will be loadbalanced between services configured under that rule.
3.. sourcegroup are only required if you need to nat the client ip address.
So, if your servers do not forward the traffic back to the CSS, doing client nat is a way to force traffic to come back to the CSS.
4.1. you can reuse the same content rule ip address.
This address will be used to nat the client ip.
It can be whatever address as long as your network knows it belongs to the CSS.
4.2. you should add the normal service - not the ssl service.
Regards,
Gilles.
Thanks for rating this answer.
10-09-2005 03:09 PM
Spot on Gilles. It's the answer that I am actually looking for.
Thanks mate.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide