Application Delivery (ADX)

Reply
Occasional Contributor
Posts: 12
Registered: ‎07-16-2009

SSL-Offload and CSW

Hello,

I´ve current enviroment:

- ADX1016-2 with SSL-Offload License, Switchcode ASM12303

- <rewrite request-insert client-ip> for http

- ssl-offload termination

SSL-Offload works, rewrite request-insert client-ip for http too. Combined (ssl-offload and request-insert client-ip for ssl/https) it doesn´t works. I´ve use this thread:

. I´ve configured a second csw-policy too, without success.

If I use the command <port ssl csw> in part <server virtual vip>, ssl-offload it doesn´t work. I don´t list all config for <server port XX>

ssl profile abc

keypair-file abc.key

certificate-file abc.crt

cipher-suite all-cipher-suites

enable-ssl-v2

enable-certificate-chaining

session-cache both

!

server source-nat

server source-nat-ip 1.1.1.100 255.255.255.0 1.1.1.254 port-range 2 (for-ssl is obsoleted)

!

csw-rule "insert-ip" url suffix "HTTP_X_CLIENT_IP"

!

csw-policy "insert-ip"

match "insert-ip" forward 1

match "insert-ip" rewrite request-insert client-ip "HTTP_X_CLIENT_IP"

default forward 2

default rewrite request-insert client-ip "X_CLIENT_IP"

!

server real server01 1.1.1.1

source-nat

port http

port http keepalive

port http url "HEAD /"

port http l4-check-only

port 881

port 881 healthck p881-194

port 881 keepalive

port 8001

port 8001 keepalive

port 8001 l4-check-only

port 8011

port 8011 keepalive

port 8011 l4-check-only

port ssl

port ssl group-id  1 1

!

server real server02 1.1.1.2

source-nat

port http

port http keepalive

port http url "HEAD /"

port http l4-check-only

port 8002

port 8002 keepalive

port 8002 l4-check-only

port 881

port 881 healthck p881-195

port 881 keepalive

port 8021

port 8021 keepalive

port 8021 l4-check-only

port ssl

port ssl group-id  2 2       

server virtual vip 1.1.1.3

predictor response-time

port http sticky

port http csw-policy "insert-ip"

port http csw

port http keep-alive

port 81 sticky

port 81 csw-policy "insert-ip"

port 81 csw

port 81 keep-alive

port 82 sticky

port 82 csw-policy "insert-ip"

port 82 csw

port 82 keep-alive

port 801 sticky

port 801 csw-policy "insert-ip"

port 801 csw

port 801 keep-alive

port 802 sticky

port 802 csw-policy "insert-ip"

port 802 csw

port 802 keep-alive

port ssl

no port ssl sticky

port ssl ssl-terminate wkd

port ssl csw-policy "insert-ip"

port ssl csw

bind http server01 881 server02 881

bind 81 server01 8001 real-port 881

bind 82 server02 8002 real-port 881

bind 801 server01 8011 real-port http

bind 802 server02 8021 real-port http

bind ssl server01 ssl real-port 881 server02 ssl real-port 881


Thank you to all for any help and kind regards

Sven

Occasional Contributor
Posts: 9
Registered: ‎01-05-2010

Re: SSL-Offload and CSW

Sven,

Few things to check..

1. Does ssl work without csw?

      If not, In the ssl profile you have mentioned "enable-certificate-chain", is abc.crt a chained certificate? If it is not a chained certificate then please remove that configuration.

2. Your configuration looks fine. I am not sure if you are actually sending a url with suffix "HTTP_X_CLIENT_IP", anyways your traffic should hit the default rule and the client ip should get inserted. To troubleshoot, you can run "url debug 3 <client-ip>" under the BP where the traffic hits.

Sample:

Lets say your client IP address hits BP 1/1 and client IP is 80.0.0.107

ServerIronADX 4000#rcon 1  1

ServerIronADX 40001/1#url debug 3 80.0.0.107

ServerIronADX 40001/1#

C 54266: WAIT_REQ(2), data 1= 158, 80.0.0.107:54266->100.0.0.1:443

        No CSW rule hit, take default action 1

        Method <GET>

        Version <HTTP/1.1>

        Host: <100.0.0.1> Length = 9

        CRLFCRLF <\r\n\r\n> Length = 4

        URL </hosts> Length = 6

        Rewrite msg (0x00000008).

        Set CSW FW RW 128: seq:0x00000015, del:0, insert:<NULL>(len:0)

        Insert header (Client-IP: 80.0.0.107) at 21(21)!     <--- CHECK FOR THIS

        Rew(0x00000008)         NULL len:0 in         NULL len0 at seq:0, parsed offset:0

        Append 1(len: 158) pkts to 0(len: 0) pkts.

        RW data (len:158)...

        URL_REW: rew_seq 21, rew_pos 21, increased_len 54, insert_len 0, clientcert_len 0, delete_len -54, tcp_data_len 158

        Append 1(len: 212) pkts to 0(len: 0) pkts.

        Save c.rx 0 s.tx 0pkts, wait for server conn.

        Append 1(len: 212) pkts to 0(len: 0) pkts.

        Send 0 pkts with 1 old ones on s.tx to server

S 28160: REQ_SENT(6), data 1= 704, 200.0.0.250:28160<-200.0.0.200:8080

        REQ_SENT->REPLY_SENT

        forward to client

        Free single stored packets (0/0).

Occasional Contributor
Posts: 9
Registered: ‎01-05-2010

Re: SSL-Offload and CSW


After you run url debug 3 <client-ip> , stop the traffic using url debug 0 <client-ip>.

Occasional Contributor
Posts: 12
Registered: ‎07-16-2009

Re: SSL-Offload and CSW

Hello Arun,

thank you for your answer, but it doesn´t work.

You ask:

1. Does ssl work without csw? yes. I can use "https://www.abc.com" and I get content, although Port 443 at real-server doesn´t up.

          If not, In the ssl profile you have mentioned "enable-certificate-chain", is abc.crt a chained certificate? If it is not a chained certificate then please remove that configuration. I disabled this, session-cache and ssl-v2 too - for testing.

If I use the command url debug 3 "source-IP", I cant´t see my source-IP, with http I see it. By HTTP I see the "CSW-Action" too.

I have no Idea more

Today I will leave my Office and I´m back at 3. September. In this Time I can´t do anything.

Thanks Sven

Brocadian
Posts: 70
Registered: ‎03-14-2009

Re: SSL-Offload and CSW

Hi Sven,

just tried your setup here in my lab successfuly. Just one difference with the binding.

bind ssl relaserver http

Hence for your case just change the http to 881.

Alex

Occasional Contributor
Posts: 12
Registered: ‎07-16-2009

Re: SSL-Offload and CSW

Hi Alex,

thank you for your Answer.

I must use the bind at Port 881, but maybe is the Problem the "Alias-Port" configuration?

Then I will reconfigure the following binds:

Now:

bind http server01 881 server02 881

bind ssl server01 ssl real-port 881 server02 ssl real-port 881


Then:

bind http server01 8811 real-port 881 server02 8811 real-port 881

bind ssl server01 881 server02 881


Tomorrow I will report the issue.


Sven


Occasional Contributor
Posts: 12
Registered: ‎07-16-2009

Re: SSL-Offload and CSW

Hi Again,

here is my Update:

I reconfigured the binding:

bind http server01 8080 real-port 881 server 02 8080 real-port 881

bind ssl server01 881 server02 881

All works fine. HTTP run, SSL-Offload run, Insert-Client-IP without SSL works.

If I activate the command "port ssl csw", it seems, the SSL-Offload stops. I don´t understand this.

Here is the related config again:

ssl profile abc

keypair-file abc.key

certificate-file abc.crt

cipher-suite all-cipher-suites

enable-ssl-v2

enable-certificate-chaining

session-cache both

csw-policy "insert-ip"

default forward 1

default rewrite request-insert client-ip "X_CLIENT_IP"

server virtual virt01

port http sticky

port http csw-policy "insert-ip"

port http csw

port http keep-alive          

port 881 sticky

port 881 csw-policy "insert-ip"

port 881 csw

port 881 keep-alive        

port ssl

no port ssl sticky

port ssl ssl-terminate abc

port ssl csw-policy "insert-ip"

port ssl csw (doesn't work)

bind http server01 8080 real-port 881 server02 8080 real-port 881

bind ssl server01 881 server01 881

Kind regards

Sven

Contributor
Posts: 24
Registered: ‎11-03-2010

Re: SSL-Offload and CSW

Hi Sven, you define the CSW on port 881 of the virtual server.

If you want to use CSW on port 443 (HTTPS) of the virtual server, you need to define that also with 'port ssl ...' commands.

-Alex

Occasional Contributor
Posts: 12
Registered: ‎07-16-2009

Re: SSL-Offload and CSW

Hi Alex,

I did this:

port ssl ssl-terminate abc

port ssl csw-policy "insert-ip"

port ssl csw (doesn't work)


I have activated and deactivated "port 881 csw" too.


Kind Regards

Sven

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.