Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Last revision Both sides next revision | ||
|
litespeed_wiki:lslb:basic_config_ssl [2019/02/08 14:14] qtwrk |
litespeed_wiki:lslb:basic_config_ssl [2019/02/08 19:07] Lisa Clarke [How To Set Up LiteSpeed Web ADC To Proxy Traffic] |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== How To Set Up LiteSpeed ADC To Proxy Traffic ====== | + | ====== How To Set Up LiteSpeed Web ADC To Proxy Traffic ====== |
| - | In this guide we will set up 3 scenarios | + | In this guide we will explain how to set up following 3 scenarios: |
| - | 1) SSL offloading, which means ADC to end-user connection will be available as both HTTP and HTTPS , but ADC will connect to backend server with HTTP (should only apply if both server are in private network to reduce server load, not recommended if both servers are connected via public network) | + | - SSL offloading, in which ADC-to-end-user connections will be available as both HTTP and HTTPS, but the ADC will connect to the backend server with HTTP. (This scenario should only apply if both servers are in a private network to reduce server load. It's not recommended if both servers are connected via public network.) |
| + | - Keep an SSL connection between the ADC and the backend, and make ADC-to-end-user connections available as both HTTP and HTTPS. | ||
| + | - HTTP to HTTP, and HTTPS to HTTPS only. | ||
| - | 2) Keep SSL connection between ADC and backend, and ADC to end-user connection will be available as both HTTP and HTTPS. | + | **NOTE**: For this example, the backend server IP is ''.114'' and the ADC server IP is ''.211'' |
| - | 3) HTTP to HTTP and HTTPS to HTTPS receptively. | + | ===== Create Clusters ===== |
| + | Log into the ADC WebAdmin Console via ''<nowkiki>https://YOUR_SERVER_IP:7090</nowiki>'', and create 2 layer 7 clusters for HTTP and HTTPS. | ||
| + | **NOTE**: If you want to keep SSL between the ADC and backend server, you can skip the HTTP cluster. | ||
| + | ==== For HTTP ==== | ||
| - | + | Navigate to **Configuration > Cluster**. | |
| - | + | ||
| - | + | ||
| - | backend server IP is **.114** | + | |
| - | + | ||
| - | ADC server IP is **.211** | + | |
| - | + | ||
| - | Login to ADC webadmin console via https://YOUR_SERVER_IP:7090 | + | |
| - | + | ||
| - | Create a layer 7 cluster, go to configuration - cluster. | + | |
| {{:litespeed_wiki:lslb:adc-ssl1.png|}} | {{:litespeed_wiki:lslb:adc-ssl1.png|}} | ||
| Line 26: | Line 22: | ||
| {{:litespeed_wiki:lslb:adc-ssl3.png|}} | {{:litespeed_wiki:lslb:adc-ssl3.png|}} | ||
| - | And now go to ''Worker Group'' tab, create a worker with your backend server IP and port | + | Navigate to the **Worker Group** tab, and create a worker with your backend server's IP and port. |
| - | First we will set up **HTTP** proxy, so set port to **80** (you can skip this step if you want traffic go through HTTPS and only set up HTTPS cluster) | + | Set up the ''HTTP Proxy'' **Type** first, and set **Default Target Port** to ''80''. |
| {{:litespeed_wiki:lslb:adc-ssl4.png|}} | {{:litespeed_wiki:lslb:adc-ssl4.png|}} | ||
| + | ==== For HTTPS ==== | ||
| - | Now repeat the previous process and create a cluster and worker for HTTPS traffic. | + | Repeat the previous process and create a cluster and worker for HTTPS traffic. |
| {{:litespeed_wiki:lslb:adc-ssl5.png|}} | {{:litespeed_wiki:lslb:adc-ssl5.png|}} | ||
| - | Same setting as HTTP worker , except port to 443 and type to HTTPS | + | use the same settings as for the HTTP worker , but change **Default Target Port** to ''443'' and **Type** to ''HTTPS''. |
| {{:litespeed_wiki:lslb:adc-ssl6.png|}} | {{:litespeed_wiki:lslb:adc-ssl6.png|}} | ||
| - | Create virtual host for HTTP, choose cluster HTTP (you can skip this step if you want traffic go through HTTPS and only set up HTTPS cluster) | + | ===== Create Virtual Hosts ===== |
| + | |||
| + | **NOTE**: If you want to keep SSL between the ADC and backend server, you can skip the HTTP vhost. | ||
| + | |||
| + | ==== For HTTP ==== | ||
| + | |||
| + | Navigate to **Configuration > Virtual Host**, create a virtual host, and choose ''HTTP'' for **Default Cluster**. | ||
| + | |||
| + | {{:litespeed_wiki:lslb:adc-ssl2.png|}} | ||
| {{:litespeed_wiki:lslb:adc-ssl7.png|}} | {{:litespeed_wiki:lslb:adc-ssl7.png|}} | ||
| - | Create another virtual host for HTTPS , choose cluster HTTPS | + | ==== For HTTPS ==== |
| + | |||
| + | Create another virtual host, and choose ''HTTPS'' for **Default Cluster**. | ||
| {{:litespeed_wiki:lslb:adc-ssl8.png|}} | {{:litespeed_wiki:lslb:adc-ssl8.png|}} | ||
| - | For HTTPS, we will also need to set up SSL for it. | + | For HTTPS, you also need to set up SSL. |
| {{:litespeed_wiki:lslb:adc-ssl9.png|}} | {{:litespeed_wiki:lslb:adc-ssl9.png|}} | ||
| - | Create 2 layer 7 listeners for 80 and 443 port, for HTTPS listener , **Secure** must be set to **Yes** | + | ===== Create Listeners ===== |
| + | |||
| + | Create two Layer 7 listeners for ports 80 and 443. For the HTTPS listener, **Secure** must be set to ''Yes'' | ||
| {{:litespeed_wiki:lslb:adc-ssl10.png|}} | {{:litespeed_wiki:lslb:adc-ssl10.png|}} | ||
| - | We will also need to set up SSL for listener , otherwise it will fail to start. | + | You will also need to set up SSL for the listener, otherwise it will fail to start. |
| - | Listener cert is not important , it can be any cert even self-signed, vhost SSL will override listener SSL. | + | Listener certificate is not important. It can be any certificate, even self-signed. The vhost SSL will override listener SSL. |
| {{:litespeed_wiki:lslb:adc-ssl11.png|}} | {{:litespeed_wiki:lslb:adc-ssl11.png|}} | ||
| + | ===== Map Domains to Both Listeners ===== | ||
| + | |||
| + | {{:litespeed_wiki:lslb:adc-ssl12.png|}} | ||
| - | Map domains to both listeners. | + | {{:litespeed_wiki:lslb:adc-ssl13.png|}} |
| - | If you want all traffic between ADC and backend on HTTPS, then map HTTPS vhost to both listener. | + | # If you want all traffic between the ADC and the backend to be on HTTPS, then map the **HTTPS** vhost to **both** listeners. |
| + | # If you want all traffic between the ADC and the backend to be on HTTP, then map the **HTTP** vhost to **both** listeners. | ||
| + | # If you want traffic separately proxied, then map the **HTTP** vhost to the **HTTP** listener, and map the **HTTPS** vhost to the **HTTPS** listener. | ||
| - | if you want all traffic between ADC and backend on HTTP, then map HTTP vhost to both listener. | + | ===== Additional Note ===== |
| - | If you want traffic separately proxied, map HTTP vhost to HTTP listener and map HTTPS vhost to HTTPS listener, respectively. | + | A listener on port 80 is a must-have, even if you want to use HTTPS all the way. This is because a user's first connection to your domain could be HTTP, and in that case an HTTPS redirect would need to be sent. |
| + | If you want to force HTTPS on the end-user, you can also add a 301 HTTPS redirect rewrite rule on the ADC vhost's rewrite rule tab. | ||
| - | If you want to force HTTPS on end-user , you can also add 301 HTTPS redirect rewrite rule on ADC vhost's rewrite rule tab. | + | {{:litespeed_wiki:lslb:adc-ssl14.png|}} |
| - | If you want to force HTTPS on end-user, but HTTP between ADC and backend, you may need to disable HTTPS redirect on your backend and let ADC send out the redirection, otherwise it might cause infinite loop as backend will always see traffic comes on HTTP | + | If you want to force HTTPS on the end-user, but allow HTTP between the ADC and the backend, you may need to disable the HTTPS redirect on your backend and let the ADC send out the redirection. Otherwise it might cause an infinite loop, as the backend will always see traffic coming on HTTP. |