HTTPS balance without a SSL Module
I have read thru the forum and found a couple threads talking about this issue but didnt find a solution to my problem.
I have 2 CSS11503s without SSL modules. I now have a need to balance a KVMoIP system that uses ssl on the servers(currently only 5 concurrent users). My balance is simply for ease of use for my customers so they dont have to know the url for the primary and secondary servers. Here is what I have right now:
interface 1/1
bridge vlan 241
description "to users"
interface 1/2
description "to servers"
bridge vlan 700
circuit VLAN700
ip address 172.20.241.181 255.255.255.192
ip virtual-router 100 priority 1
ip redundant-interface 100 172.20.241.183
ip critical-service 100 css-up-down
ip critical-reporter 100 css-sc1
circuit VLAN241
ip address 172.20.241.71 255.255.255.192
ip virtual-router 1 priority 1
ip redundant-interface 1 172.20.241.73
ip redundant-vip 1 172.20.241.100
ip critical-service 1 css-up-down
ip critical-reporter 1 css-sc1
service obsidian
ip address 172.20.241.172
keepalive port 80
keepalive type tcp
active
owner avocent
content kvm (Does not work)
vip address 172.20.241.100
protocol tcp
port 443
add service obsidian
content kvm_80 (This works)
protocol tcp
port 80
add service obsidian
vip address 172.20.241.100
active
The http to the server works fine but the https get "The page can not be displayed" when you go to https://172.20.241.100
Thanks for any insight into this issue.
Hi Gill,
thats what i?ve found:
config-owner-content) application
To specify the application type associated with the content rule, use the application command. The application type enables the CSS to correctly interpret the data stream matching the content rule and parse them. Otherwise, the data stream packets are rejected. Use the no form of this command to reset the application type to its default setting of HTTP.
application type
no application
Syntax Description
type
Application type. Enter one of the following:
?bypass - Bypasses the matching of the content rule and send the request directly to the origin server
?http (default) - Processes HTTP data streams
?ftp-control - Processes FTP data streams
?sip - Processes Session Initiation Protocol (SIP) data streams
?ssl - Processes Secure Sockets Layer (SSL) protocol data streams
Similar Messages
-
CSS with single SSL module.. balance option needed?
Hi all,
Quick question. If you have a CSS 11503 with one SSL offload module installed.. is there any point in using the "application ssl" and "advanced-balance ssl" options in the content rule? I can't find any info that tells me for sure but I'm guessing that these options can be used to balance between multiple ssl modules and provide stickiness to the modules etc.. but doesn't have any effect on the traffic distribution and stickiness to the backend server services?
For example if I have a L5 content rule like the one below and only one SSL module, should i remove the "application ssl" and "advanced-balance ssl" options and just use the port 80 content rule which the ssl proxy lists offloads traffic too and apply the "advanced-balance sticky-srcip-dstport" and "balance leastconn" there ?
content DEVCOM_TCP443_L5
vip address x.x.x.x
application ssl
advanced-balance ssl
protocol tcp
port 443
url "//dev.subdomain.domain.com/*"
add service ssl_module1
active
I have read various forum postings and i read the CSS SSL config guide but the examples all seem to differ in their implementation.
Many thanks
ScottYou're correct.
There is no need to specify the application type as ssl and the advanced-balance method when using a single ssl module.
Gilles. -
ACE - Balance HTTP and sticky only SSL/TLS
Hi there,
I have a situation that I am trying to solve. We have lot of services trough ACE, but now I have to modify one of them, PROXY servers.
I have six (6) servers working with Sticky, but with a MASK 255.255.255.0, which produce an unbalanced situation some times, and that affect some servers on depending of how many users connected to that server. We have between 40K and 50K conns in that serverfarm, but in Sticky terms we have arround 700 /24 subnets.
I want to modify the configuration, specificaly the MASK to 255.255.255.255, which is going to increase a lot Sticky resources. But thinking in optimize Sticky resources, I want to know if there is a way to select only e-commerce, Home Banking or other kind of SSL/TSL traffic (always using port 80 trough proxy servers), so I could use Sticky only for connections that need it, and leave other HTTP traffic without this feature.
I´m sorry, may be I'm doing a silly question, but don´t have the experience to make this configuration, and I will apreciate your help.
Here is the actual configuration:
probe tcp HTTP
description Keepalive web servers
interval 20
passdetect interval 30
rserver host Server1
ip address 10.1.1.1
inservice
rserver host Server2
ip address 10.1.1.2
inservice
rserver host Server3
ip address 10.1.1.3
inservice
rserver host Server4
ip address 10.1.1.4
inservice
rserver host Server5
ip address 10.1.1.5
inservice
rserver host Server6
ip address 10.1.1.6
inservice
serverfarm host PRX
failaction purge
predictor leastconns
probe HTTP
rserver Server1
inservice
rserver Server2
inservice
rserver Server3
inservice
rserver Server4
inservice
rserver Server5
inservice
rserver Server6
inservice
sticky ip-netmask 255.255.255.0 address source sticky-PRX
timeout 60
serverfarm PRX
class-map match-any VIP-PRX
2 match virtual-address 10.10.10.101 tcp eq www
policy-map type loadbalance first-match POLICY-L7-PRX
class class-default
sticky-serverfarm sticky-PRX
policy-map multi-match PRX-Balance
class VIP-PRX
loadbalance vip inservice
loadbalance policy POLICY-L7-PRX
loadbalance vip icmp-reply
interface vlan 100
ip address 10.10.10.11 255.255.255.0
alias 10.10.10.10 255.255.255.0
peer ip address 10.10.10.12 255.255.255.0
no normalization
access-group output SOLO-SLB
service-policy input PRX-Balance
Thanks
AlexisYou might want to check out this new product called ITD.
Simple and faster solution:
ITD provides :
ASIC based multi-terabit/s L3/L4 load-balancing at line-rate
No service module or external L3/L4 load-balancer needed. Every N7k port can be used as load-balancer.
Redirect line-rate traffic to any devices, for example web cache engines, Web Accelerator Engines (WAE), video-caches, etc.
Capability to create clusters of devices, for example, Firewalls, Intrusion Prevention System (IPS), or Web Application Firewall (WAF), Hadoop cluster
IP-stickiness
Resilient (like resilient ECMP)
VIP based L4 load-balancing
NAT (available for EFT/PoC). Allows non-DSR deployments.
Weighted load-balancing
Load-balances to large number of devices/servers
ACL along with redirection and load balancing simultaneously.
Bi-directional flow-coherency. Traffic from A-->B and B-->A goes to same node.
Order of magnitude OPEX savings : reduction in configuration, and ease of deployment
Order of magnitude CAPEX savings : Wiring, Power, Rackspace and Cost savings
The servers/appliances don’t have to be directly connected to N7k
Monitoring the health of servers/appliances.
N + M redundancy.
Automatic failure handling of servers/appliances.
VRF support, vPC support, VDC support
Supported on both Nexus 7000 and Nexus 7700 series.
Supports both IPv4 and IPv6
N5k / N6k support : coming soon
Blog
At a glance
ITD config guide
Email Query or feedback:[email protected] -
Load Balancing with a CSM & SSL Module
I'm trying to understand the best way to balance traffic to two servers when decrypting and re-encrypting with the CSM and an SSL module. I take the SSL traffic hitting the first CSM VIP and forward to the SSL module for decryption. Send the decrypted traffic back to another VIP on the CSM. Send the traffic to the client proxy VIP on the SSL which encrypts the traffic and forwards to the CSM VIP. That final VIP passes the traffic to the serverfarm containing the actual servers. How do I make sure the traffic is balanced between the final VIP and my servers. It seems that sticking on SSL session ID is the only way to go at that point which made decryption pointless. I feel like I'm missing something basic here.
Thanks..Hi David,
Here find some full config example for your perusal for CSM and SSL Services Module Initial Configuration Example
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a0080216c16.shtml
2nd config example to Configuring CSM to Load Balance SSL to a Farm of SCAs for One-Armed Proxy Mode
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00801aca55.shtml
Sachin garg -
HTTPS Keepalive with the CSM & SSL Module
Has anyone had any success getting a secured web page for a keepalive using the CSM with and SSL module. If so can post an example?
Thank you,
DaveHi David,
Here find some full config example for your perusal for CSM and SSL Services Module Initial Configuration Example
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a0080216c16.shtml
2nd config example to Configuring CSM to Load Balance SSL to a Farm of SCAs for One-Armed Proxy Mode
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00801aca55.shtml
Sachin garg -
HTTPS ans SSL with CSS (No SSL Module)
Hi,
My customers have two server and need to load balance.
These servers initiate SSL.
and VIP address is :
https://erpappl.erp.mis.blabla.tgc:8005
My CSS has no ssl module. An dconfiguration is:
service venice
ip address 10.200.104.32
protocol tcp
port 8005
keepalive type tcp
keepalive port 8005
redundant-index 120
active
service calgary
ip address 10.200.104.33
protocol tcp
port 8005
keepalive type tcp
keepalive port 8005
redundant-index 121
active
owner ERPAPPL
content erpapp_test
add service venice
add service calgary
redundant-index 60
vip address 10.200.104.28
protocol tcp
port 8005
url "/*"
arrowpoint-cookie expiration 00:00:03:00
advanced-balance arrowpoint-cookie
application ssl
active
After this configuration I cannot reach the URL shown above.
Can you help me?if this is encrypted traffic [HTTPS] the CSS can't see the content of the packet.
So the CSS can't see the url [-> so the command url "/*" is incorrtect and should be removed] and the CSS can't see cookies [so the arrowpoint-cookie command is wrong and should be removed].
If we sell an SSL module, there is a reason :-)
The only sticky option you can use are :
- sticky based on srcip
- sticky on sslid
The first option [srcip] has a problem with mega proxy [many users being nated with the same ip] and the 2nd option has the problem that it only works with SSLV2 and that some browsers do not use the sslid.
Gilles. -
Using SSL Module to Encrypt HTTP post to external Server
I would like to know if it's possible for a CSM with its SSL module to receive an HTTP POST from our internal web servers, encrypt that POST w/ SSL, and finally to forward the newly created SSL transmission to a remote external SSL server? If it is possible, is this good practice or is it better to let the web server do the encryption?
this is possible.
It is good practice if you do not want to overload your server with the heavy task of encryption/decryption.
If your server is very powerfull and far from being used to its maximum capacity, you can do it on the server.
Another advantage of using an SSL module is that the CSM will see your request in clear text and can therefore perform so *smart* loadbalancing before it gets encrypted by the SSL module.
[ie: cookie stickyness, url hashing, ...]
Regards,
Gilles. -
CSS without SSL Module needing sticky sessions
Hello All,
If anyone can help with this sticky situation I'd appreciate it.
I have a customer with a CSS11501. He does not have an SSL module installed.
He has 2 blade servers, when he adds a web site, which is accessible over SSL, the CSS load balances client requests causing lost sessions, mostly lost pop-ups, it does not want stick to the same server.
I've configured the following:-
service web1
protocol tcp
port 443
keepalive type tcp
ip address 192.168.200.50
string web1
active
service web2
rotocol tcp
port 443
eepalive type tcp
ip address 192.168.200.51
string web2
active
content SSL_Web
add service web1
add service web2
rotocol tcp
port 443
vip address 1.2.3.4
application ssl
advanced-balance sticky-srcip-dstport
active
group web_Farm
add service web1
add service web2
vip address 1.2.3.4
active
I was attempting to get the client to stick to the server but unfortunately, this didn't work, the CSS seems to continue to send requests to both servers and they are getting scripting errors.
Once the customer turns off the second blade, all is ok.
I did try adding the string value to the service and configuring 'advanced-balance arrowpoint-cookie' in the content but the clients were unable to reach any web sites.
Best Regards TonyTony,
The config looks fine other than the "application SSL" under the content rule, and right now you are probing the servers with a tcp probe on port 80. If you want the probe to be on port 443 you should add the command "keepalive port 443" to both of the services. The CSS will default to port 80 for a tcp probe.
Regards
Jim -
How to Filter Initial Client HTTP Headers on a CSS11506 SSL module
Is there any way to filter the initial client headers on a css11506 ssl module ?? (software version 8.1)
This is one of the default options on the "old" SCA11000 appliances.Douglas, with an SSL module, the CSS can decrypt HTTPS traffic and see the cleartext HTTP traffic.
We can then apply any rules to the header.
I think in this case, the question refered to some data injected in the http header by the CSS and filter what data from the client certificate should be dropped or inserted.
We currently do not have this option on the CSS.
Gilles. -
Header Insert Statistics on SSL Module
Hi,
I use an SSL Module running SW 2.1.8. Within ouput of "sh ssl-proxy stats hdr" I have a lot of "Service Errors" without any configured http header insertion policy.
Any idea what could cause this ??
Any answer is appreciated.
Volker Kreisel
Header Insert Statistics:
Session Headers Inserted : 0 Custom Headers Inserted : 0
Session Id's Inserted : 0 Client Cert. Inserted : 0
Client IP/Port Inserted : 0
No End of Hdr Detected : 0 Payload no HTTP header : 0
Desc Alloc Failed : 0 Buffer Alloc Failed : 0
Client Cert Errors : 0 Malloc failed : 0
Service Errors : 28730384 Conn Entry Invalid : 0
Buffers allocated : 0 Buffers Scanned : 0
Insertion Points Found : 0 Header Overflow : 0
End of Header Found : 0 Buffers Accumulated : 0CSCsb82589
show ssl-proxy stats hdr counter Service Errors is erroneously increment
This has been fixed in 3.1.1 and will be fixed soon in the next 2.1 release.
Regards,
Gilles. -
How many ssl modules are needed for a redundant configuration?
Hi, apologies but I can't seem to find a definite answer for this question. I have two css 11506's set up using vip/virtual interface redundancy (active/standby). Each css 11506 has a single ssl module.
Is this adequate for ssl redundancy? I've read in this forum that if an ssl module fails, the css will reboot causing failover to the standby css so ssl connections will simply reset and as long as I have ASR set up on the back end http content, users will not notice the failover.
Am I correct in this thinking or do you recommend using two ssl modules in each css? Thinking there is that if one ssl module fails, there will still be a 2nd module to handle ssl traffic and the css's will not failover.
Thanks
-Danthere is no need for 2 modules.
You would use 2 modules if you need more power [handle more connections].
However, your assumption is incorrect.
Nowadays, there is no device in the worl [cisco and non-cisco] that can do SSL ststeful failover.
In other words, upon failure, all SSL users will have to restart their connection.
Gilles. -
SSL module - does server key must have a password?
Hi,
I'm trying to install server certificate, PEM formatted into SSL module. The key I've received is stripped off the challange password. Is it possible to import such a key without pass? "crypto ca import server.com PEM terminal xxx" seems to not allow for this.
tiaYes, the SSL module must have a password for the server key. It is not possible to import the key without the password.
-
CSS 115xx and SSL module.
Good day, I have a general question on the SSL module. Currently we have a pair of CSS's handeling our external site web sites. We are starting to run out of external IP addresses, If we installed the SSL module and terminated the Certificates on the CSS would we be able to read the ssl header and utilize 1 ip for multiple ssl sites?
thx
-RichCheck the URL: Overview of CSS SSL:
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v7.40/configuration/ssl/guide/overview.html
Examples of CSS SSL Configurations:
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.10/configuration/ssl/guide/examples.html -
CSS - 11506 - Adding New SSL Services on Single SSL Modules
Hi,
We are having one pair of CCS 11506 currently SSL services are running on slot4 with single SSL module.Now we are planning to add one more SSL application with different certificates & keys on different VIP.
Can we use the same slot4 for new application & using different certicates & keys on same SSL modules.Your reponse is appriecatedHi Sean,
Thanks for replying back just want few clarifcations in configuration part.
1. If new vlan is given for new application then how to point routes to the new vlan as default routes to exisitng vlan is already present.
2. I've prepare sample config template with details steps & let us know will it work & if changes is required kindly let us know.
1.# ftp-record ssl_record 192.168.19.21 johndoe "abc123"
/home/johndoe
2.# copy ssl sftp ssl_record import rsacert.pem PEM "passwd123"
Connecting
Completed successfully
3.# copy ssl sftp ssl_record import rsakey.pem PEM "passwd123"
Connecting
Completed successfully
4.Enter configuration mode.
# config
(config) #
4. To use RSA public key exchange and authentication:
a. Associate the imported RSA certificate with a file.
(config) # ssl associate cert myrsacert1 rsacert.pem
b. Associate the imported RSA key pair with a file.
(config) # ssl associate rsakey myrsakey1 rsakey.pem
5. Compare the public key in the associated certificate with the public key
stored with the associated private key and verify that they are identical.
(config) # ssl verify myrsacert1 myrsakey1
Certificate mycert1 matches key mykey1
ssl associate rsakey NEWKEY newkey.pem
ssl associate cert NEWCERT newcert.pem
!************************* INTERFACE *************************
interface 3/3
description "****WEB SIDE****"
bridge vlan _ID_X.X.X.X
bridge port-fast enable
interface 3/4
bridge vlan_ID_Y.Y.Y.Y
bridge port-fast enable
description "****PIX SIDE****"
!************************** CIRCUIT **************************
circuit VLAN_ID_X
ip address A.A.A.A B.B.B.0
ip virtual-router 2 priority 101 preempt
ip redundant-interface 3 C.C.C.C
ip critical-service 3 chk-con-pix_Y.Y.Y.Y
ip critical-service 3 chk-con-web_X.X.X.X
circuit VLAN_ID_Y
ip address D.D.D.D E.E.E.0
ip virtual-router 4 priority 101 preempt
ip redundant-vip 4 F.F.F.F
ip critical-service 4 chk-con-pix_Y.Y.Y.Y
ip critical-service 4 chk-con-web_X.X.X.X
!*********************** SSL PROXY LIST ***********************
ssl-proxy-list NEW
ssl-server 20
ssl-server 20 vip address F.F.F.F
ssl-server 20 cipher rsa-with-rc4-128-sha F.F.F.F 81
ssl-server 20 cipher rsa-with-rc4-128-md5 F.F.F.F 81
ssl-server 20 rsacert NEWCERT
ssl-server 20 rsakey NEWKEY
active
!************************** SERVICE **************************
service FRONT_SSL
type ssl-accel
slot 4
keepalive type none
add ssl-proxy-list NEW
active
service WEBSERVER-03
ip address G.G.G.G
redundant-index 3
protocol tcp
port 80
active
service WEBSERVER-04
ip address H.H.H.H
redundant-index 4
protocol tcp
port 80
active
service chk-con-pix_Y.Y.Y.Y
keepalive type script ap-kal-pinglist "N.N.N.N"
ip address J.J.J.J
keepalive frequency 2
keepalive maxfailure 2
keepalive retryperiod 2
active
service chk-con-web_X
ip address K.K.K.K
keepalive type script ap-kal-pinglist "P.P.P.P"
keepalive frequency 2
keepalive maxfailure 2
keepalive retryperiod 2
active
!*************************** OWNER ***************************
owner NEW
content BACKNEW_HTTP
vip address F.F.F.F
add service WEBSERVER-03
add service WEBSERVER-04
protocol tcp
port 81
url "/*"
redundant-index 5
no persistent
active
content FRONTENDNEW_SSL
vip address F.F.F.F
protocol tcp
port 443
application ssl
add service FRONT_SSL
active
content NEW
url "//www.ABC.com/*"
vip address F.F.F.F
protocol tcp
port 80
redundant-index 4
redirect "https://ABC.com"
active
your reply on this would be highly appericated. -
Issue in setting flex app in load balanced environment using SSL
I have developed the dashboard in my application using flex 3.0. For this I have used JSP wrapper around the flex application. My application runs on JBoss application server. for communication between flex app and my application i am using LCDS. HTTPService component is being used to receive data from the server. Channel definitions are given in service-config.xml for amf and http channels and for both secure secure and not secure mode. In my proxy-config.xml i have defined Channels and destinations.
services-config.xml
<channel-definition id="my-amf" class="mx.messaging.channels.AMFChannel">
<endpoint url="http://{server.name}:{server.port}/{context.root}/messagebroker/amf" class="flex.messaging.endpoints.AMFEndpoint"/>
<properties>
<polling-enabled>false</polling-enabled>
</properties>
</channel-definition>
<channel-definition id="my-secure-amf" class="mx.messaging.channels.SecureAMFChannel">
<endpoint url="https://{server.name}:{server.port}/{context.root}/messagebroker/amfsecure" class="flex.messaging.endpoints.SecureAMFEndpoint"/>
<properties>
<add-no-cache-headers>false</add-no-cache-headers>
</properties>
</channel-definition>
<channel-definition id="my-http" class="mx.messaging.channels.HTTPChannel">
<endpoint url="http://{server.name}:{server.port}/{context.root}/messagebroker/http" class="flex.messaging.endpoints.HTTPEndpoint"/>
</channel-definition>
<channel-definition id="my-secure-http" class="mx.messaging.channels.SecureHTTPChannel">
<endpoint url="https://{server.name}:{server.port}/{context.root}/messagebroker/httpsecure" class="flex.messaging.endpoints.SecureHTTPEndpoint"/>
<properties>
<add-no-cache-headers>false</add-no-cache-headers>
</properties>
</channel-definition>
proxy-config.xml
<default-channels>
<channel ref="my-http"/>
<channel ref="my-amf"/>
<channel ref="my-secure-http"/>
<channel ref="my-secure-amf"/>
</default-channels>
<destination id="dashboardService">
<properties>
<url>/kr/servlet/DashboardServlet</url>
</properties>
</destination>
<destination id="dashboardJSPService">
<properties>
<url>/kr/krportal/dashboardJSPService.jsf</url>
</properties>
</destination>
In my development environment both secure and non secure mode were working fine. Now when I have deployed it behind the load balancer(which accepts secure requests only and if the request is not secure it redirects it to secure url) there is no response from the message broker servlet. One thing more I have observed is when the environment is non load balanced there are request like 'http://{server.name}:{server.port}/{context.root}/messagebroker/http'. and these requests are post request. But in load balanced environment with ssl the request is again like 'http://{server.name}:{server.port}/{context.root}/messagebroker/http' which is a post request and it is redirected to 'https://{server.name}:{server.port}/{context.root}/messagebroker/http' which is a get request. The content returned by this get request is null.
Looking for some comments
Thanks
Abhishek Guptaif the load balancing environment is already well configured, thes rest is very easy, there is no difference between a configuration of load balancing environment and a simple one, for you that is transparent, except the manual deployment and manual copying
of files in the directory 15
Maybe you are looking for
-
Trade mark sign appears when trying @ setting up macair
setting up macbookair. can not do @. tm appears instead
-
VAT Code invisible in dropdown
Hi, When posting a transaction, the client doesn't want to see all the VAT codes defined in table 007A. Is this possible? Annelize
-
did i buy Adobe Photoshop & Adobe premiere elments but uTrshed the box before instalation how can i get the serial number?
-
I would like to know how can I add the content of a JTextField to a Vector, that will display in a JList. THX
-
Graphics crashes under Windows XP SP3 with Radeon X1600
Hello I've been experiencing a lot of problems with my MacBook Pro recently. Everytime I run an application that demands some graphic power from the X1600 GPU, such as games or Photoshop, the computer crashes and gets EXTREMELY hot (so hot I can't ev