Forum Discussion

Ganesh_31405's avatar
Ganesh_31405
Icon for Nimbostratus rankNimbostratus
Nov 17, 2010

SSL on server

Hi,

I've minuscule knowledge about the LB configuration over SSL. This is my setup. I've an application server running in HTTPS (443 port) behind LB. In the LB, I've an VIP (10.223.x.x) created with 2 services (http and https). From client machine, when I access the VIP through http://10.223.x.x or https://10.223.x.x not able to hit my application server page. I'm always getting "page cannot be displayed"

 

 

 

In the VIP 443 service, I've tried setting SSL Client profile, SSL Server profile and with both the combination and nothing resolves. Any combinations I tried, end up getting the page cannot be displayed. I'm not sure what is the right approach to configure my LB, when server was running in HTTPS mode.

 

 

 

I want the communication between the Server and LB to bin HTTPS and LB to client in HTTP or even HTTPS is fine. All I need is to get my application server page, when running in SSL. I'm able to get that work, if it's running in HTTP. I'm able to hit my server page through SSL, If I access it directly through Internal Ip. Only when I access it through VIP, not able to get that working.

 

 

 

I appreciate any help on how to configure my LB (LB VE 10.2 version).

 

8 Replies

  • can u paste your virtual server, pool, profile configuration here?
  • So, I would concentrate on getting your HTTP virtual server working first. Sounds like SSL is not the only issue, if the HTTP virtual is not working either. As was stated earlier, it would be good to see the your config. LTM can be used to have any combination of SSL on either side of the conversation. We use this extensively to either offload SSL, or decrypt the payload for iRule use, the reload SSL to the target server.

     

  • With regard to your VIP 443 service, try no SSL profiles (client or server) and just a standard virtual server with a TCP profile (the defaults), this will give you HTTPS on both server and client side. Keep in mind at no point is this traffic decrypted at the LTM so you can not do anything with the payload, and you may want to use persistence depending on your app server - but that will not be necessary to get started with a response from the server.

     

     

    With regard to the VIP 80 service, you will need a serverssl profile to allow HTTP on the client side and HTTPS on the server side. If your app server SSL configuration requires X509 client auth, or if you are using certs signed by a CA not trusted by the LTM then you need to configure the serverssl profile appropriately, if not then again the default config should be fine.

     

     

  • Jason,

    I tried VIP with https service without client/server profile and only TCP profile. But still accessing the virtual ip through https doesn't hit my server and get the application login page.

     

    Let me brief my over all configuration

     

    My server running in internal IP :- 192.168.1.2 and configured to SSL (default port 443)

     

    For SSL, i've uploaded Trial certificate from Thawte. Accessing the server directly https://192.168.1.2 works fine

     

     

     

    Added a node member 192.168.1.2 : 80

     

     

     

    Created a pool, SVR1 and added this node as member

     

     

     

    Then created 2 VIP

     

    10.223.9.233 with service port 80

     

    (Protocol profile set to TCP, http profile set to http and no ssl profile set)

     

    Default pool set to SVR1

     

     

     

    10.223.9.233 with service port 443

     

    (Protocol profile set to TCP, http profile set to http and no ssl profile set)

     

     

     

     

     

    Now when I access https://10.223.9.233 or http://10.223.9.233 not able to hit the application server page which is running in SSL. When I remove the SSL in my server and make it to run in HTTP mode, I'm able to hit my server page.

     

     

     

     

     

    As you mentioned, I even tried to set serverssl profile in port 80 and still, not able to hit the server page. I'm not sure whether there is some handshake happening between my LB and server at all, when server in SSL mode. I've attached screen shot of the profile configuration of my VIP running in port 80

     

     

     

    I've been breaking my head for last couple of days and I greatly appreciate any help to get this resolved

     

  • 10.223.9.233 with service port 443

    (Protocol profile set to TCP, http profile set to http and no ssl profile set)

     

    what port was this pool listening on? was it 443?

     

     

    if it's not 443, would u mind trying 443?
  • I've tried both 80 and 443. This is what I tried. Created two pools with same node pointing to different port

    svr1_http: - 192.168.1.2:80

     

    Svr1_ssl: 192.168.1.2:443

     

     

     

    In the VIP 10.223.9.233:443

     

    , added svr_http pool and acess it through browser results in page cannot be displayed

     

    removed that pool and added SVr1_SSL. Accessing this VIP end with same error

     

  • this is mine.

    
    virtual bar {
       snat automap
       pool foo
       destination 172.28.17.59:https
       ip protocol tcp
    }
    pool foo {
       members 10.10.70.110:https {}
    }
    
     curl -Ik https://172.28.17.59
    HTTP/1.1 200 OK
    Date: Thu, 18 Nov 2010 04:47:16 GMT
    Server: Apache/2.0.59 (rPath)
    Last-Modified: Sun, 24 Oct 2010 20:57:08 GMT
    ETag: "65c0-123-1e67b100"
    Accept-Ranges: bytes
    Content-Length: 291
    Vary: Accept-Encoding
    Content-Type: text/html; charset=UTF-8
    
  • if it still does not work, tcpdump may help.

     

     

    to screen

     

    tcpdump -nni 0.0 \(host 172.28.17.79 or host 10.10.70.110\) and port 443

     

     

    to file

     

    tcpdump -nni 0.0:nnn -s0 -w /var/tmp/output.dmp \(host 172.28.17.79 or host 10.10.70.110\) and port 443