Home > Blog
Broadcasting news, tips, and troubleshooting on networking technologies.
Entries in http (3)
A simple approach to handle sites that require SSL (HTTPS) encryption is to not allow plain-text HTTP, but that’s not very user-friendly and no one likes having to type extra characters into the browser to indicate HTTPS as the URI scheme. So the elegant solution for the client-side request is to allow HTTP, but then to redirect all such requests over to SSL. If you’re doing SSL Acceleration on your CSS 11500 load-balancer anyway, and you have public facing sites, you should also be doing HTTP-to-HTTPS (SSL) redirection.
Assuming you already have SSL termination configured, you’ll already have SSL and HTTP VIPs that work together. The trick is to add a different VIP (virtual IP adddress) for the SSL proxy and convert the existing HTTP rule to a redirect rule. Optionally, you could use a redirect service in the rule instead. Entire config snippets available here.
An interesting issue arose when trying to configure two L5 rules behind a SSL proxy on a Cisco CSS 11500.
When doing SSL termination on the CSS load-balancer, a ssl-proxy-list is configured to add a virtual server that ties the SSL VIP to the plain-text HTTP VIP used by the proxy.
Read up on configuring SSL termination on the CSS 11500 if you’re not familiar.
Normally, a SSL rule VIP is proxied to a single, matching plain-text HTTP VIP when you need to ensure the site is protected by SSL. This is done with two L4 rules, one matching [port] :443 and the other on :80. It’s not a requirement that the two VIPs match, but doing so will make your config easier to understand and conserve IP space. See the post on *todo* for CSS HTTP to HTTPS redirection.
Comments will be moderated. Non-networking, commercialized, or spam topics will be punted at the discretion of the moderator.