Ssl Transparent Proxy Configuration - Two Ssl Modules - Cisco 11503 - CSS Content Services Switch Configuration Manual

SSL Transparent Proxy Configuration
Cisco Content Services Switch SSL Configuration Guide
8-8
!*************************** OWNER ***************************
owner ap.com
content ssl-rule
vip address 192.168.5.5
protocol tcp
port 443
add service ssl_module1
active
content http-rule
vip address 192.168.5.5
protocol tcp
port 80
add service serverABC
add service serverDEF
add service serverGHI
advanced-balance cookies
active
This section provides an example configuration for an SSL transparent proxy
between a client, a CSS with two SSL modules, and three HTTP servers
(ServerABC, ServerDEF, and ServerGHI). A Layer 5 SSL sticky content rule is
used in the configuration to maintain stickiness of the client to a particular SSL
module. The Layer 5 SSL sticky content rule ensures SSL session ID reuse to
eliminate the rehandshake process (which speeds up the SSL negotiation process)
and to increase overall performance.
Figure 8-4 illustrates this transparent proxy configuration.
For purposes of illustration, the configuration example in
VIP address for the SSL content rule (ssl-rule) to be the same as the VIP address
for the HTTP content rule (http-rule). These two VIP addresses do not have to be
identical. Depending on the method that you choose to allow access to secure
content on your HTTP servers, you may require specification of a different VIP
address for the clear-text content rule to place it in nonroutable address space. In
this example, instead of specifying a VIP address of 192.168.5.5 for the http-rule
content rule, you could specify a VIP address of 10.1.1.5. The clear-text http-rule
will be unreachable from the Internet, which can offer you more flexibility and
granularity while allowing the CSS to be seamlessly integrated for secure
transactions.
Chapter 8 Examples of CSS SSL Configurations
Two SSL Modules
—
Figure 8-4 shows the
OL-5655-01