Powered by Squarespace
Popular Categories
Blog Posts
Discussion Activity
Cisco Live 365

Blog (Broadcast)

Home > Blog

Broadcasting news, tips, and troubleshooting on networking technologies.



Entries in http (3)


Magic cookie to toggle backend server farm from prod to stg

Normally, testing against a staging environment takes place with hostnames for that specific purpose and which differ from the production hostnames.  These hostnames align with different VIPs (Virtual IPs) on a load-balancer to direct the traffic flow to the appropriate backend server farm.  This works well when the client can easily and manually switch the hostname between staging and prod. 
Testing mobile apps and third-party sites that may link back to yours poses an issue:  How do you control the hostname linked to you so it hits your staging environment for testing?  Not easily.  On a desktop or laptop, testers happily </sarcasm> modify their local hosts file to get a production hostname to use the VIP (or IP address) for the staging (STG) environment.

Click to read more ...


Cisco CSS 11500 HTTP-to-HTTPS (SSL) Redirection

A simple approach to handle sites that require SSL (HTTPS) encryption is to not allow plain-text HTTP, but that’s not very user-friendly and no one likes having to type extra characters into the browser to indicate HTTPS as the URI scheme.  So the elegant solution for the client-side request is to allow HTTP, but then to redirect all such requests over to SSL.  If you’re doing SSL Acceleration on your CSS 11500 load-balancer anyway, and you have public facing sites, you should also be doing HTTP-to-HTTPS (SSL) redirection.

Assuming you already have SSL termination configured, you’ll already have SSL and HTTP VIPs that work together.  The trick is to add a different VIP (virtual IP adddress) for the SSL proxy and convert the existing HTTP rule to a redirect rule.  Optionally, you could use a redirect service in the rule instead.  Entire config snippets available here.

Click to read more ...


Cisco CSS 11500 L5 Rules via SSL Acceleration (proxy)

An interesting issue arose when trying to configure two L5 rules behind a SSL proxy on a Cisco CSS 11500.

When doing SSL termination on the CSS load-balancer, a ssl-proxy-list is configured to add a virtual server that ties the SSL VIP to the plain-text HTTP VIP used by the proxy.

Read up on configuring SSL termination on the CSS 11500 if you’re not familiar.

Normally, a SSL rule VIP is proxied to a single, matching plain-text HTTP VIP when you need to ensure the site is protected by SSL.  This is done with two L4 rules, one matching [port] :443 and the other on :80.  It’s not a requirement that the two VIPs match, but doing so will make your config easier to understand and conserve IP space.  See the post on *todo* for CSS HTTP to HTTPS redirection.

Click to read more ...