05-04-2007 07:18 AM
Ok...this is the situation....
I have a CSS 11501 w/SSLM, and it is configured and working perfectly today.
It is listening on a VIP, terminating the SSL connection, and initiating a load balanced back end connection to a pair of web servers.
users go to the URL "https://services.blah.com" and everything works great.
If users go to "https://services.blah.com/legacy" , I want them to be redirected to the legacy server, prior to the SSL negotiation. The legacy server has it's own cert, not on the CSS. The legacy server does not reside behind this CSS. In fact, it is a single host in another subnet, which the CSS has knowledge of.
Is this possible?
Thanks in advance. This is a VERY helpful forum. I hope to have the knowledge and skill level soon to be able to assist others.
Sandeep
05-04-2007 08:00 AM
Hi Sandeep,
You can match the traffic going to /legacy with a layer 5 content rule. The problem is that first you need to do the SSL negotiation, otherwise the CSS will not be able to see layer 5 information in order to match the that specific request to another content rule.
Since you need the traffic to go SSL to your server, you may want to implement Backend SSL, as the CSS will decrypt the traffic in the front-end, check on layer 5 and encrypt it again prior to send it to the server.
05-04-2007 12:11 PM
Hey....thanks for the quick response...
I am currently using backend SSL for the "https://services.blah.com" URL, and the user sessions are balanced between the backend servers.
how do I redirect only "https://services.blah.com/legacy" to the legacy server that lives in another part of the network?
Where in the config do I insert that redirect statement? And what is the correct syntax?
Here are the applicable parts of my current config:
ssl-proxy-list my_secure_site
ssl-server 1
ssl-server 1 cipher rsa-with-rc4-128-md5 1xx.1x.xx.81 81
backend-server 10
backend-server 10 port 81
backend-server 10 server-ip 1xx.1x.xx.74
backend-server 20
backend-server 20 port 81
backend-server 20 server-ip 1xx.1x.xx.75
ssl-server 1 vip address 1xx.1x.xx.13
backend-server 10 ip address 1xx.1x.xx.74
backend-server 20 ip address 1xx.1x.xx.75
backend-server 10 cipher rsa-with-rc4-128-md5
backend-server 20 cipher rsa-with-rc4-128-md5
ssl-server 1 rsakey services-sys_key1
ssl-server 1 rsacert services-sys
active
-----------------------------
service backend1
ip address 1xx.1x.xx.74
type ssl-accel-backend
port 81
add ssl-proxy-list my_secure_site
keepalive port 443
keepalive type ssl
protocol tcp
active
service backend2
ip address 1xx.1x.xx.75
type ssl-accel-backend
port 81
keepalive port 443
keepalive type ssl
protocol tcp
add ssl-proxy-list my_secure_site
active
------------------------------
owner my_secure_site
content back
protocol tcp
port 81
url "/*"
vip address 1xx.1x.xx.81
add service backend1
add service backend2
advanced-balance sticky-srcip
active
content front
vip address 1xx.1x.xx.13
application ssl
add service ssl_front
protocol tcp
port 443
active
-----------------------------------
Is what I am trying to achieve even possible?
Thanks again for your assistance!
Sandeep
05-04-2007 01:38 PM
Hi Sandeep,
Create another content rule in the back (for clear text) matching only that specific request, like this:
content back2
protocol tcp
port 81
url "/legacy" ----------------> More specific
vip address 1xx.1x.xx.81
add service legacy_server
active
Then you create the legacy_server service and configure it as any of the other backend servers you have already.
The CSS match the traffic agains the more specific rule, so people going to https://services.blah.com/legacy will match the rule back2 and everybody else with hit the rule with the wildcard (back).
That should resolve your problem.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide