Topic
  • 14 replies
  • Latest Post - ‏2012-12-05T16:17:39Z by Liv2luv
SystemAdmin
SystemAdmin
6772 Posts

Pinned topic var://service/routing-url-sslprofile does not change SSL Proxy profile

‏2012-11-28T09:43:38Z |
For a client, I'm trying to implement the following scenario:

  • DataPower XG45 which has one public IP-address.
  • only port 443 is open to that public IP.
  • Based on the FQDN/DNS-name that was used to access the IP of the datapower:
- a certain service on the DataPower or a certain backend should be chosen.
- a certain wildcard-certificate should be offered

Example:
via a browser I'm going to the following url:
  • https://service1.prod.company.com should bring me to an internal webserver service1.prod.company.int and offer the *.prod.company.com wildcard-certificate to the browser
  • https://service1.test.company.com should bring me to an internal webserver service1.test.company.int and offer the *.test.company.com wildcard-certificate to the browser

The first part: routing based on the FQDN works without problems:
  • using a matching rule for the url https://service1.prod.company.com* and an XSL route action route_prod.xsl:

<xsl:template match=
"/"> <dp:set-variable name=
"'var://service/routing-url'" value=
"concat('http://service1.prod.company.int',dp:variable('var://service/URI'))" /> </xsl:template>


  • using a matching rule for the url https://service1.test.company.com* and an XSL route action route_test.xsl

<xsl:template match=
"/"> <dp:set-variable name=
"'var://service/routing-url'" value=
"concat('http://service1.test.company.int',dp:variable('var://service/URI'))" /> </xsl:template>


Now I'm trying to set the SSL proxy profile based on the executed action by setting the routing-url-sslprofile variable.

I created two SSL Proxy Profile
  • ssl_test_company, which offers the *.test.company.com wildcard-certificate
  • ssl_prod_company, which offers the *.prod.company.com wildcard-certificate

I changed the XSL as follows:
route_test.xsl:

<xsl:template match=
"/"> <dp:set-variable name=
"'var://service/routing-url-sslprofile'" value=
"'ssl_test_company_be'" /> <dp:set-variable name=
"'var://service/routing-url'" value=
"concat('http://service1.test.company.int',dp:variable('var://service/URI'))" /> </xsl:template>


route_prod.xsl:

<xsl:template match=
"/"> <dp:set-variable name=
"'var://service/routing-url-sslprofile'" value=
"'ssl_prod_company_be'" /> <dp:set-variable name=
"'var://service/routing-url'" value=
"concat('http://service1.prod.company.int',dp:variable('var://service/URI'))" /> </xsl:template>


Only this doesn't seem to have any effect on the certificate that is offered to the browser...
If I look, by using the probe, the variable is correctly changed as it should but it seems that the action is not taken.

Any ideas how to solve this issue or maybe there is another solution?
Thanks in advance!
Updated on 2012-12-05T16:17:39Z at 2012-12-05T16:17:39Z by Liv2luv
  • kenhygh
    kenhygh
    1607 Posts

    Re: var://service/routing-url-sslprofile does not change SSL Proxy profile

    ‏2012-11-28T10:54:58Z  
    Jens,
    First, routing-url-sslprofile sets the proxy for backend calls, not front end. For the browser/front end, you'll need to have two separate FSHs each with their own SSL proxy profile with an idcred containing the appropriate browser.

    BTW, it's really a bad idea to have test and prod on the same device.

    Ken
  • SystemAdmin
    SystemAdmin
    6772 Posts

    Re: var://service/routing-url-sslprofile does not change SSL Proxy profile

    ‏2012-11-28T12:49:24Z  
    • kenhygh
    • ‏2012-11-28T10:54:58Z
    Jens,
    First, routing-url-sslprofile sets the proxy for backend calls, not front end. For the browser/front end, you'll need to have two separate FSHs each with their own SSL proxy profile with an idcred containing the appropriate browser.

    BTW, it's really a bad idea to have test and prod on the same device.

    Ken
    Ken,

    Thanks for your reply.
    So if I understand correct, we will need another port number or another IP-address to be able to create two Front Side Handlers and to present the two different certificates?

    Test and prod was only an example and it does not involve DataPower test or prod environments but backend-application testing in differnt domains.
  • SystemAdmin
    SystemAdmin
    6772 Posts

    Re: var://service/routing-url-sslprofile does not change SSL Proxy profile

    ‏2012-11-28T12:59:33Z  
    Ken,

    Thanks for your reply.
    So if I understand correct, we will need another port number or another IP-address to be able to create two Front Side Handlers and to present the two different certificates?

    Test and prod was only an example and it does not involve DataPower test or prod environments but backend-application testing in differnt domains.
    Sorry for the extra message but does this mean that if we want to present a different certificate for every service which we define on the DataPower, we need to use a different IP-address? (considering we do not want to change the port 443)
  • swlinn
    swlinn
    1348 Posts

    Re: var://service/routing-url-sslprofile does not change SSL Proxy profile

    ‏2012-11-28T19:06:48Z  
    Sorry for the extra message but does this mean that if we want to present a different certificate for every service which we define on the DataPower, we need to use a different IP-address? (considering we do not want to change the port 443)
    Each HTTPS front side handler should present its own certificate, hopefully matching the domain name of the dns name used, but each front side handler must have a unique IP and port, so if you don't want to change the port, you must have a unique IP. You can associate multiple IPs with an interface by specifying them as the secondary IPs of the interface.

    Regards,
    Steve
  • SystemAdmin
    SystemAdmin
    6772 Posts

    Re: var://service/routing-url-sslprofile does not change SSL Proxy profile

    ‏2012-11-28T20:54:23Z  
    • swlinn
    • ‏2012-11-28T19:06:48Z
    Each HTTPS front side handler should present its own certificate, hopefully matching the domain name of the dns name used, but each front side handler must have a unique IP and port, so if you don't want to change the port, you must have a unique IP. You can associate multiple IPs with an interface by specifying them as the secondary IPs of the interface.

    Regards,
    Steve
    I know about the existence of the secondary IP but could you tell me if we can use that in combination with the active/standby of the XG45? Is the secondary IP like a subinterface and can we add the subinterface also to a separate standby group?

    At this time, I don't have access to the device to test this.

    We currently have the following setup:

    • XG45 #1 IP:1.1.1.2 (active)
    • -- virtual IP: 1.1.1.4 (used by DNS)
    • XG45 #2 IP:1.1.1.3 (standby)

    So if we want to be able to present a different certificate to a different DNS-name, we need to create an extra public (secondary) IP per appliance?
  • kenhygh
    kenhygh
    1607 Posts

    Re: var://service/routing-url-sslprofile does not change SSL Proxy profile

    ‏2012-11-28T21:21:14Z  
    I know about the existence of the secondary IP but could you tell me if we can use that in combination with the active/standby of the XG45? Is the secondary IP like a subinterface and can we add the subinterface also to a separate standby group?

    At this time, I don't have access to the device to test this.

    We currently have the following setup:

    • XG45 #1 IP:1.1.1.2 (active)
    • -- virtual IP: 1.1.1.4 (used by DNS)
    • XG45 #2 IP:1.1.1.3 (standby)

    So if we want to be able to present a different certificate to a different DNS-name, we need to create an extra public (secondary) IP per appliance?
    Yes. And if you want failover on that other address, you'll need another VIP and standby.

    Ken
  • SystemAdmin
    SystemAdmin
    6772 Posts

    Re: var://service/routing-url-sslprofile does not change SSL Proxy profile

    ‏2012-11-29T10:29:17Z  
    • kenhygh
    • ‏2012-11-28T21:21:14Z
    Yes. And if you want failover on that other address, you'll need another VIP and standby.

    Ken
    Just to be clear:
    so it is possible to create a secondary address and a separate standby group for that secondary address of both DataPowers?
    We would like to keep the current cabling and it would be very unpractical to add a physical cable to have the extra IP's.
  • kenhygh
    kenhygh
    1607 Posts

    Re: var://service/routing-url-sslprofile does not change SSL Proxy profile

    ‏2012-11-29T11:06:23Z  
    Just to be clear:
    so it is possible to create a secondary address and a separate standby group for that secondary address of both DataPowers?
    We would like to keep the current cabling and it would be very unpractical to add a physical cable to have the extra IP's.
    You do not need to add cables. You just need to reserve additional IP addresses and have your boxes listen to those secondary addresses.

    Each interface can listen to multiple IP addresses. To do this, while logged in to the default domain with administrative privileges, you can add secondary addresses to your enabled interface.

    You then bind service 1 to the primary address, and service 2 to the secondary address.

    This is similar to virtual hosts in an HTTP server configuration, if that helps.

    Ken
  • SystemAdmin
    SystemAdmin
    6772 Posts

    Re: var://service/routing-url-sslprofile does not change SSL Proxy profile

    ‏2012-11-29T13:54:49Z  
    • kenhygh
    • ‏2012-11-29T11:06:23Z
    You do not need to add cables. You just need to reserve additional IP addresses and have your boxes listen to those secondary addresses.

    Each interface can listen to multiple IP addresses. To do this, while logged in to the default domain with administrative privileges, you can add secondary addresses to your enabled interface.

    You then bind service 1 to the primary address, and service 2 to the secondary address.

    This is similar to virtual hosts in an HTTP server configuration, if that helps.

    Ken
    Ken,

    I know that such is possible, I only worry if the secondary address is usable with the virtual IP and a standby group.

    Currently we have for example:
    • DP#1: interface eth0, IP:1.1.1.2, standby group: 1
    • DP#2: interface eth0, IP:1.1.1.3, standby group: 1
    • virtual IP:1.1.1.4 for standby group 1

    equal services are bound to eth0 on both DP's and the DNS-names resolve to 1.1.1.4.

    is it possible to create on the same eth0 interface a secondary address, but for a different standby group, as follows:
    • DP#1: interface eth0, primary IP:1.1.1.2, standby group: 1
    • DP#1: interface eth0, secondary IP:1.1.1.5, standby group: 2
    • DP#2: interface eth0, primary IP:1.1.1.3, standby group: 1
    • DP#2: interface eth0, secondary IP:1.1.1.6, standby group: 2
    • virtual IP:1.1.1.4 for standby group 1
    • virtual IP:1.1.1.7 for standby group 2

    We could then do the following:
    • service1: listen on 1.1.1.2 on DP#1 and 1.1.1.3 on DP#2, DNS-names for service1 resolve to 1.1.1.4
    • service2: listen on 1.1.1.5 on DP#1 and 1.1.1.6 on DP#2, DNS-names for service2 resolve to 1.1.1.7

    As soon as I have access to the DP's, I can test this but for now I don't.

    Thanks for the replies until now :)
  • Liv2luv
    Liv2luv
    573 Posts

    Re: var://service/routing-url-sslprofile does not change SSL Proxy profile

    ‏2012-11-29T18:37:55Z  
    Ken,

    I know that such is possible, I only worry if the secondary address is usable with the virtual IP and a standby group.

    Currently we have for example:
    • DP#1: interface eth0, IP:1.1.1.2, standby group: 1
    • DP#2: interface eth0, IP:1.1.1.3, standby group: 1
    • virtual IP:1.1.1.4 for standby group 1

    equal services are bound to eth0 on both DP's and the DNS-names resolve to 1.1.1.4.

    is it possible to create on the same eth0 interface a secondary address, but for a different standby group, as follows:
    • DP#1: interface eth0, primary IP:1.1.1.2, standby group: 1
    • DP#1: interface eth0, secondary IP:1.1.1.5, standby group: 2
    • DP#2: interface eth0, primary IP:1.1.1.3, standby group: 1
    • DP#2: interface eth0, secondary IP:1.1.1.6, standby group: 2
    • virtual IP:1.1.1.4 for standby group 1
    • virtual IP:1.1.1.7 for standby group 2

    We could then do the following:
    • service1: listen on 1.1.1.2 on DP#1 and 1.1.1.3 on DP#2, DNS-names for service1 resolve to 1.1.1.4
    • service2: listen on 1.1.1.5 on DP#1 and 1.1.1.6 on DP#2, DNS-names for service2 resolve to 1.1.1.7

    As soon as I have access to the DP's, I can test this but for now I don't.

    Thanks for the replies until now :)
    As I know, you can not add two standby groups to the same Interface. If one interface has both primary and a secondary IP. In the standby control add the Auxiliary VIP address.

    example:

    Interface eth0 has both 1.1.1.1 (Primary) and 2.3.4.5 (secondary) IP.
    VIP for 1.1.1.1 is 1.1.1.2 and Auxiliary VIP for 2.3.4.5 is 2.3.4.6
  • SystemAdmin
    SystemAdmin
    6772 Posts

    Re: var://service/routing-url-sslprofile does not change SSL Proxy profile

    ‏2012-12-04T10:06:42Z  
    • Liv2luv
    • ‏2012-11-29T18:37:55Z
    As I know, you can not add two standby groups to the same Interface. If one interface has both primary and a secondary IP. In the standby control add the Auxiliary VIP address.

    example:

    Interface eth0 has both 1.1.1.1 (Primary) and 2.3.4.5 (secondary) IP.
    VIP for 1.1.1.1 is 1.1.1.2 and Auxiliary VIP for 2.3.4.5 is 2.3.4.6
    Yesterday, I tried to resolve the problem.

    I did the following:
    • add extra auxiliary IP to the standby group for the public interface
    • changed my service that offers certificate1, to listen only on the normal virtual IP.
    • created a similar service that offers certificate2, to listen only on the auxiliary IP.
    • changed DNS-entry for service with certificate1 to use normal virtual IP
    • changed DNS-entry for service with certificate2 to use auxiliary IP

    This seems to work and the client gets a different certificate for the different DNS-name.

    Only we are limited now since it is impossible to add a third IP to the standby group... So if we want to add an extra service which is using a third, different, certificate, we will have to use another interface (and thus change our physical connections).

    Is there no workaround for this?
  • Liv2luv
    Liv2luv
    573 Posts

    Re: var://service/routing-url-sslprofile does not change SSL Proxy profile

    ‏2012-12-04T15:42:00Z  
    Yesterday, I tried to resolve the problem.

    I did the following:
    • add extra auxiliary IP to the standby group for the public interface
    • changed my service that offers certificate1, to listen only on the normal virtual IP.
    • created a similar service that offers certificate2, to listen only on the auxiliary IP.
    • changed DNS-entry for service with certificate1 to use normal virtual IP
    • changed DNS-entry for service with certificate2 to use auxiliary IP

    This seems to work and the client gets a different certificate for the different DNS-name.

    Only we are limited now since it is impossible to add a third IP to the standby group... So if we want to add an extra service which is using a third, different, certificate, we will have to use another interface (and thus change our physical connections).

    Is there no workaround for this?
    >Only we are limited now since it is impossible to add a third IP to the standby group...

    Not really, you can have multiple Auxiliary VIP addresses separated by a colon. Just wanted to highlight the risk as well, you're overly dependent on one Primary VIP as the auxiliary VIPs are dependent on primary.

    Thanks.
  • SystemAdmin
    SystemAdmin
    6772 Posts

    Re: var://service/routing-url-sslprofile does not change SSL Proxy profile

    ‏2012-12-05T09:51:10Z  
    • Liv2luv
    • ‏2012-12-04T15:42:00Z
    >Only we are limited now since it is impossible to add a third IP to the standby group...

    Not really, you can have multiple Auxiliary VIP addresses separated by a colon. Just wanted to highlight the risk as well, you're overly dependent on one Primary VIP as the auxiliary VIPs are dependent on primary.

    Thanks.
    Thanks for the information. This solves more or less the problem which we have.

    I tested by adding two extra IP-addresses to the standby group and it seems to work :)
    That those auxiliary addresses depend on the primary is not a big issue since they are in the same subnet.
  • Liv2luv
    Liv2luv
    573 Posts

    Re: var://service/routing-url-sslprofile does not change SSL Proxy profile

    ‏2012-12-05T16:17:39Z  
    Thanks for the information. This solves more or less the problem which we have.

    I tested by adding two extra IP-addresses to the standby group and it seems to work :)
    That those auxiliary addresses depend on the primary is not a big issue since they are in the same subnet.
    Thanks for the update.

    Glad it worked well for you.