Powered by Squarespace
Popular Categories
Blog Posts
Discussion Activity
Cisco Live 365

Blog (Broadcast)

Home > Blog

Broadcasting news, tips, and troubleshooting on networking technologies.



Entries in ssl (2)


Cisco CSS 11500 HTTP-to-HTTPS (SSL) Redirection

A simple approach to handle sites that require SSL (HTTPS) encryption is to not allow plain-text HTTP, but that’s not very user-friendly and no one likes having to type extra characters into the browser to indicate HTTPS as the URI scheme.  So the elegant solution for the client-side request is to allow HTTP, but then to redirect all such requests over to SSL.  If you’re doing SSL Acceleration on your CSS 11500 load-balancer anyway, and you have public facing sites, you should also be doing HTTP-to-HTTPS (SSL) redirection.

Assuming you already have SSL termination configured, you’ll already have SSL and HTTP VIPs that work together.  The trick is to add a different VIP (virtual IP adddress) for the SSL proxy and convert the existing HTTP rule to a redirect rule.  Optionally, you could use a redirect service in the rule instead.  Entire config snippets available here.

Click to read more ...


Cisco CSS 11500 L5 Rules via SSL Acceleration (proxy)

An interesting issue arose when trying to configure two L5 rules behind a SSL proxy on a Cisco CSS 11500.

When doing SSL termination on the CSS load-balancer, a ssl-proxy-list is configured to add a virtual server that ties the SSL VIP to the plain-text HTTP VIP used by the proxy.

Read up on configuring SSL termination on the CSS 11500 if you’re not familiar.

Normally, a SSL rule VIP is proxied to a single, matching plain-text HTTP VIP when you need to ensure the site is protected by SSL.  This is done with two L4 rules, one matching [port] :443 and the other on :80.  It’s not a requirement that the two VIPs match, but doing so will make your config easier to understand and conserve IP space.  See the post on *todo* for CSS HTTP to HTTPS redirection.

Click to read more ...