Problem with reencoding to RealServers in SubVS - Kemp sends encoded traffic to HTTP server.

0

Hello.

I have problem with make working configuration with reencryption.

There is one VS with HTTPS on port 443, and two SubVS.
Traffic to SubVS is routed thanks to Content Rules.

On the backend we have two Real Servers:

- first for domain xx.yy.zz (HTTPS on port 8443),
- second for domain aa.bb.cc (HTTP on port 80).

First domain works. Second not - KEMP is sending encrypted requests to HTTP server, on apache side we see logs like this:


10.0.0.9 - - [03/Apr/2017:14:57:25 +0200] "HEAD / HTTP/1.0" 200 274 "-" "KEMP 1.0"
10.0.0.9 - - [03/Apr/2017:14:57:34 +0200] "HEAD / HTTP/1.0" 200 274 "-" "KEMP 1.0"
10.0.0.9 - - [03/Apr/2017:14:57:43 +0200] "HEAD / HTTP/1.0" 200 274 "-" "KEMP 1.0"
10.0.0.12 - - [03/Apr/2017:14:57:51 +0200] "\x16\x03\x01\x02" 400 0 "-" "-"
10.0.0.9 - - [03/Apr/2017:14:57:52 +0200] "HEAD / HTTP/1.0" 200 274 "-" "KEMP 1.0"

As You see, Real Server alive checking works - these is HTTP 200 status for KEMP requests.
But when we initiate connection via VS, then KEMP is sending encrypted requests to ordinary HTTP (not HTTPS) server.

What is configured wrong? Is mixed (http and https) Real Servers supported for the same VS?

3 comments

Avatar
0
Mark Deegan

Hello,

When sorting traffic using content rules you must remember that the SSL offload and re-encrypt settings are set on the parent. So the traffic being sent may be on port 80 for the real servers but is encrypted because the parent VS is re-encrypting the traffic. To have 2 separate servers on the back-end one with encryption and one with out you will need to create 2 VIP's. on the main one have the only real server as the second VIP under aa.bb.cc and set the port to 443. on the second VIP have SSL offloading only with the real servers behind it.

best regards

Mark

Avatar
0
andrzej.wasilewski

Thanks Mark, it looks promising.

I made changes, but another problem occurs. Actually configuration looks as below (please check it is correct - it is that You proposed?):

VIP1 (frontend) is confgured to listening on port 443, HTTPS, no reencryption.
Have configured: 2 SubVS and 2 Content Rules.
First rule redirects connections to domain aa.bb.cc to first SubVS, where is configured Real Server that works on pure HTTP protocol.
Second rule redirects connections to domain xx.yy.zz to second SubVS, where is configured IP address of VIP2.

VIP2 is confgured to listening on port 4443, HTTPS, no reencryption.
Have configured 1 Real Server (no SubVS, no Content Rules). Real Server has HTTPS on port 8443.

Connections via VIP1 to domain aa.bb.cc are working well.
Connections via VIP1 to domain xx.yy.zz not. Content rule that redirect traffic to VIP2 works - I can see it in statistics - VIP2 counters grows. But his Real Server counters not grows.
Direct connecions via VIP2 to xx.yy.zz are working well.

What is wrong? Looks like connections to domain xx.yy.zz forwarded from VIP1 to VIP2 are not understandable on VIP2. Tried reencryption on VIP2 also.

 
Avatar
0
andrzej.wasilewski

After switching Real Servers (SSL servers on VIP1 with reencryption, and pure HTTP on VIP2) it works.