Home > Blog
Broadcasting news, tips, and troubleshooting on networking technologies.
A simple approach to handle sites that require SSL (HTTPS) encryption is to not allow plain-text HTTP, but that’s not very user-friendly and no one likes having to type extra characters into the browser to indicate HTTPS as the URI scheme. So the elegant solution for the client-side request is to allow HTTP, but then to redirect all such requests over to SSL. If you’re doing SSL Acceleration on your CSS 11500 load-balancer anyway, and you have public facing sites, you should also be doing HTTP-to-HTTPS (SSL) redirection.
Assuming you already have SSL termination configured, you’ll already have SSL and HTTP VIPs that work together. The trick is to add a different VIP (virtual IP adddress) for the SSL proxy and convert the existing HTTP rule to a redirect rule. Optionally, you could use a redirect service in the rule instead. Entire config snippets available here.
An interesting issue arose when trying to configure two L5 rules behind a SSL proxy on a Cisco CSS 11500.
When doing SSL termination on the CSS load-balancer, a ssl-proxy-list is configured to add a virtual server that ties the SSL VIP to the plain-text HTTP VIP used by the proxy.
Read up on configuring SSL termination on the CSS 11500 if you’re not familiar.
Normally, a SSL rule VIP is proxied to a single, matching plain-text HTTP VIP when you need to ensure the site is protected by SSL. This is done with two L4 rules, one matching [port] :443 and the other on :80. It’s not a requirement that the two VIPs match, but doing so will make your config easier to understand and conserve IP space. See the post on *todo* for CSS HTTP to HTTPS redirection.
A simple approach to handle sites that require SSL (HTTPS) encryption is to not allow plain-text HTTP, but that’s not very user-friendly and no one likes having to type extra characters into the browser to indicate HTTPS as the URI scheme. So the elegant solution for the client-side request is to allow HTTP, but then to redirect all such requests over to SSL. If you’re doing SSL Acceleration on your ACE load-balancer anyway, your configuration will become simpler in the long-run since you won’t have to maintain as much duplicate configuration to handle different load-balance policies for plain-text HTTP and SSL.
The solution is to create a generic redirect rserver and serverfarm that can be used for any SSL loadbalance policies. For web applications that may build absolute paths, the web server may need to know that the client protocol has switched over to SSL so you don’t have needless redirects. A HTTP Header can be sent in the request toward the web server to inform it of the protocol using the de facto standard header called X-Forwarded-Proto — using the standard Via header is another alternative and will be shown in an example.
Every network engineer reaches a point in their packet life where they need to gain a much better understanding of the type of traffic and patterns that traverse their network. From corporate users streaming Pandora and YouTube over your Direct Internet Access (DIA) circuits to Data Center spikes putting stress on uplinks, network engineers need to understand who is on the network, what is being done with it, where the packets are flowing, and when this all happens.
For most Cisco routers and higher-end enterprise switches or firewalls, NetFlow, the proprietary Cisco flow metering protocol, and the sFlow open-standard (based on Cisco’s original proprietary protocol like so many others [and many people forget]), give insight into the network traffic and patterns.
Comments will be moderated. Non-networking, commercialized, or spam topics will be punted at the discretion of the moderator.