HTTPS to HTTP SubVS - struggling to get working

0

In my homelab I have a couple of VMs that are accessible over HTTP. My knowledge is not sophisticated enough to re-config them for HTTPS (e.g. calibre / pihole).

With the KEMP FLB I can get the following working fine using VS and SubVS for my services (synology, pihole, kemp, calibre, guacamole, www) . I like the idea of only have one exposed IP and port number and let FLB do the heavy lifting. 

Works:

HTTP redirect to HTTPS

HTTP > HTTP

HTTPS > HTTPS

 

However I simply cannot get HTTPS > to a HTTP SubVS working. On the SubVS side of things I am selecting the correct port for the RS e.g. 80. I can 404 errors, failed to connect, connection reset errors.

I'm using SSL acceleration, I have my wildcard SSL installed without any issues. I've looked at the debug log and the content rule is being picked up, its identifying the correct RS and even the RS port number. The only thing I can think of is that its still trying to send SSL traffic to port 80 to the RS. 

I'm pretty sure I'm missing something basic, any tips or clues?

Are you not allowed / able to have a VS (port 443) with a mix of SubVS using HTTP and HTTPS?

3 comments

Avatar
0
Tony Vaughan

Hi Steve

SSL acceleration is only available on the main VS
so traffic hitting the main VS can be the following

  • HTTPS (no SSL offloading)
  • HTTP (SSL offloading)
  • HTTPS (SSL offloading & SSL re-encrypted)


If you have the following setup

client -> VS (443)            
            ->    SubVS 1    (HTTPS)
            ->    SubVS 2    (HTTP)
            
then traffic hitting the sub VS will be either HTTPS or HTTP but not both at the same time
to answer your last question, it is not possible to separate them using a single VS

to get this working I would recommend using a "nested VS"
for example

traffic to VS 1
using SSL offloading and re-encryption
content match on this traffic
if this traffic is for a HTTPS service send it to sub VS1
if this traffic is for a HTTP service send it to sub VS2

Content rule examples
https://support.kemptechnologies.com/hc/en-us/articles/115004181826-Content-Rule-Examples

SubVS 1 has the real servers list
SubVS 2 has a 302 redirect to VS 2

traffic to VS 2 (SSL offloaded to HTTP)
send traffic to the real server on HTTP

client    -> VS1 (443) SSL offload & Re-encrypt (match to subVS using content rules)
            ->    SubVS 1    (HTTPS) -> real servers HTTPS 443
            ->    SubVS 2    (HTTP) 302 HTTP redirect -> VS 2
        -> VS2 (443) SSL offload -> real servers HTTP 80

Avatar
0
steverhysjenks

Thanks Tony,

Your post is helpful on the whole you get what I'm trying to achieve.

I've tweaked what I have configured to match the following:

client    -> VS1 (443) SSL offload & Re-encrypt (match to subVS using content rules)
            ->    SubVS 1    (HTTPS) -> real servers HTTPS 443
            ->    SubVS 2    (HTTP) 302 HTTP redirect -> VS 2

-> VS2 (443) SSL offload -> real servers HTTP 80

The redirect URL - is this going to be VIP of VS2 or the new content rule URL for VS2?


       

 

Avatar
0
Tony Vaughan

Correct the redirect URL will be IP address/FQDN of VS 2
if you are using the same public address you can use the same VS IP but with a different port
e.g.
VS 1 10.110.50.3:443
VS 2 10.110.50.3:8443

just a side note in case this question comes up later on
the LoadMaster shouldn't offload and re-encrypt traffic twice as this can break the SSL connection,
this is a common question with loadbalancing ADFS Proxy and ADFS Farms

in this scenario
since subVS 2 is a redirect, its a new connection to VS 2 so its only offloaded once on the LoadMaster