How To Set Up LiteSpeed Web ADC To Proxy Traffic

In this guide we will explain how to set up following 3 scenarios:

  1. SSL offloading, in which ADC-to-end-user connections will be available as both HTTP and HTTPS, but the ADC will connect to the backend server with HTTP. (This scenario should only apply if both servers are in a private network to reduce server load. It's not recommended if both servers are connected via public network.)
  2. Keep an SSL connection between the ADC and the backend, and make ADC-to-end-user connections available as both HTTP and HTTPS.
  3. HTTP to HTTP, and HTTPS to HTTPS only.

NOTE: For this example, the backend server IP is .114 and the ADC server IP is .211

Log into the ADC WebAdmin Console via <nowkiki>https://YOUR_SERVER_IP:7090</nowiki>, and create 2 layer 7 clusters for HTTP and HTTPS.

NOTE: If you want to keep SSL between the ADC and backend server, you can skip the HTTP cluster.

For HTTP

Navigate to Configuration > Cluster.

Navigate to the Worker Group tab, and create a worker with your backend server's IP and port.

Set up the HTTP Proxy Type first, and set Default Target Port to 80.

For HTTPS

Repeat the previous process and create a cluster and worker for HTTPS traffic.

use the same settings as for the HTTP worker , but change Default Target Port to 443 and Type to HTTPS.

NOTE: If you want to keep SSL between the ADC and backend server, you can skip the HTTP vhost.

For HTTP

Navigate to Configuration > Virtual Host, create a virtual host, and choose HTTP for Default Cluster.

For HTTPS

Create another virtual host, and choose HTTPS for Default Cluster.

For HTTPS, you also need to set up SSL.

Create two Layer 7 listeners for ports 80 and 443. For the HTTPS listener, Secure must be set to Yes

You will also need to set up SSL for the listener, otherwise it will fail to start.

Listener certificate is not important. It can be any certificate, even self-signed. The vhost SSL will override listener SSL.

  1. If you want all traffic between the ADC and the backend to be on HTTPS, then map the HTTPS vhost to both listeners.
  2. If you want all traffic between the ADC and the backend to be on HTTP, then map the HTTP vhost to both listeners.
  3. If you want traffic separately proxied, then map the HTTP vhost to the HTTP listener, and map the HTTPS vhost to the HTTPS listener.

A listener on port 80 is a must-have, even if you want to use HTTPS all the way. This is because a user's first connection to your domain could be HTTP, and in that case an HTTPS redirect would need to be sent.

If you want to force HTTPS on the end-user, you can also add a 301 HTTPS redirect rewrite rule on the ADC vhost's rewrite rule tab.

If you want to force HTTPS on the end-user, but allow HTTP between the ADC and the backend, you may need to disable the HTTPS redirect on your backend and let the ADC send out the redirection. Otherwise it might cause an infinite loop, as the backend will always see traffic coming on HTTP.

  • Admin
  • Last modified: 2019/02/08 19:07
  • by Lisa Clarke