Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Last revision Both sides next revision
litespeed_wiki:lslb:basic_config_ssl [2019/02/08 14:36]
qtwrk 		litespeed_wiki:lslb:basic_config_ssl [2019/02/08 19:07]
Lisa Clarke [How To Set Up LiteSpeed Web ADC To Proxy Traffic]
Line 1: Line 1:
-====== How To Set Up LiteSpeed ADC To Proxy Traffic ======+====== How To Set Up LiteSpeed ​Web ADC To Proxy Traffic ======
  
 In this guide we will explain how to set up following 3 scenarios: In this guide we will explain how to set up following 3 scenarios:
  
-a) SSL offloading, which means ADC to end-user ​connection ​will be available as both HTTP and HTTPS , but ADC will connect to backend server with HTTP (should only apply if both server ​are in private network to reduce server loadnot recommended if both servers are connected via public network)+  - SSL offloading, ​in which ADC-to-end-user ​connections ​will be available as both HTTP and HTTPS, but the ADC will connect to the backend server with HTTP(This scenario ​should only apply if both servers ​are in private network to reduce server load. It'​s ​not recommended if both servers are connected via public network.) 
 +  - Keep an SSL connection between the ADC and the backend, and make ADC-to-end-user connections available as both HTTP and HTTPS. 
 +  - HTTP to HTTP, and HTTPS to HTTPS only.
  
-b) Keep SSL connection between ADC and backendand ADC to end-user connection will be available as both HTTP and HTTPS.+**NOTE**: For this example, the backend ​server IP is ''​.114'' ​and the ADC server IP is ''​.211''​
  
-c) HTTP to HTTP and HTTPS to HTTPS receptively.+===== Create Clusters ===== 
 +Log into the ADC WebAdmin Console via ''<​nowkiki>​https://​YOUR_SERVER_IP:​7090</​nowiki>'',​ and create 2 layer 7 clusters for HTTP and HTTPS. ​
  
 +**NOTE**: If you want to keep SSL between the ADC and backend server, you can skip the HTTP cluster.
  
 +==== For HTTP ====
  
- +Navigate ​to **Configuration > Cluster**.
- +
- +
-Backend server IP is **.114** +
- +
-ADC server IP is **.211** +
- +
-Login to ADC webadmin console via https://​YOUR_SERVER_IP:​7090  +
- +
-1. Create a 2 layer 7 clusters for HTTP and HTTPS **(you can skip HTTP cluster and vhost in following steps if you want keep SSL between ADC and backend server)** +
- +
-Go to Configuration - Cluster.+
  
 {{:​litespeed_wiki:​lslb:​adc-ssl1.png|}} {{:​litespeed_wiki:​lslb:​adc-ssl1.png|}}
Line 28: Line 22:
 {{:​litespeed_wiki:​lslb:​adc-ssl3.png|}} {{:​litespeed_wiki:​lslb:​adc-ssl3.png|}}
  
-And now go to ''​Worker Group'' ​tab, create a worker with your backend server IP and port+Navigate ​to the **Worker Group** tab, and create a worker with your backend server'​s ​IP and port.
  
-First we will set up **HTTP** proxyso set port to **80** +Set up the ''​HTTP Proxy'' ​**Type** firstand set **Default Target Port** to ''​80''​.
  
 {{:​litespeed_wiki:​lslb:​adc-ssl4.png|}} {{:​litespeed_wiki:​lslb:​adc-ssl4.png|}}
  
 +==== For HTTPS ====
  
-2. Now repeat ​the previous process and create a cluster and worker for HTTPS traffic.+Repeat ​the previous process and create a cluster and worker for HTTPS traffic.
  
 {{:​litespeed_wiki:​lslb:​adc-ssl5.png|}} {{:​litespeed_wiki:​lslb:​adc-ssl5.png|}}
  
-Same setting ​as HTTP worker , but change ​port to 443 and type to HTTPS+use the same settings ​as for the HTTP worker , but change ​**Default Target Port** ​to ''​443'' ​and **Type** ​to ''​HTTPS''​.
  
 {{:​litespeed_wiki:​lslb:​adc-ssl6.png|}} {{:​litespeed_wiki:​lslb:​adc-ssl6.png|}}
  
-3Go to configuration - virtual host, create virtual host for HTTP, choose ​cluster ​HTTP +===== Create Virtual Hosts ===== 
 + 
 +**NOTE**: If you want to keep SSL between the ADC and backend server, you can skip the HTTP vhost. 
 + 
 +==== For HTTP ==== 
 + 
 +Navigate ​to **Configuration > Virtual Host**, create ​virtual host, and choose ​''​HTTP''​ for **Default Cluster**.
  
 {{:​litespeed_wiki:​lslb:​adc-ssl2.png|}} {{:​litespeed_wiki:​lslb:​adc-ssl2.png|}}
Line 49: Line 50:
 {{:​litespeed_wiki:​lslb:​adc-ssl7.png|}} {{:​litespeed_wiki:​lslb:​adc-ssl7.png|}}
  
-4. Create another virtual host for HTTPS , choose ​cluster ​HTTPS+==== For HTTPS ==== 
 + 
 +Create another virtual host, and choose ​''​HTTPS''​ for **Default Cluster**.
  
 {{:​litespeed_wiki:​lslb:​adc-ssl8.png|}} {{:​litespeed_wiki:​lslb:​adc-ssl8.png|}}
  
-For HTTPS, ​we will also need to set up SSL for it.+For HTTPS, ​you also need to set up SSL.
  
 {{:​litespeed_wiki:​lslb:​adc-ssl9.png|}} {{:​litespeed_wiki:​lslb:​adc-ssl9.png|}}
  
-5. Create ​2 layer 7 listeners for 80 and 443 port, for HTTPS listener , **Secure** must be set to **Yes**+===== Create Listeners ===== 
 + 
 +Create ​two Layer 7 listeners for ports 80 and 443. For the HTTPS listener, **Secure** must be set to ''​Yes''​
  
 {{:​litespeed_wiki:​lslb:​adc-ssl10.png|}} {{:​litespeed_wiki:​lslb:​adc-ssl10.png|}}
  
-We will also need to set up SSL for listener , otherwise it will fail to start.+You will also need to set up SSL for the listener, otherwise it will fail to start.
  
-Listener ​cert is not important ​, it can be any cert even self-signedvhost SSL will override listener SSL.+Listener ​certificate ​is not important. It can be any certificate, ​even self-signed. The vhost SSL will override listener SSL.
  
 {{:​litespeed_wiki:​lslb:​adc-ssl11.png|}} {{:​litespeed_wiki:​lslb:​adc-ssl11.png|}}
  
- +===== Map Domains ​to Both Listeners ​=====
-===== Map domains ​to both listeners ​=====+
  
 {{:​litespeed_wiki:​lslb:​adc-ssl12.png|}} {{:​litespeed_wiki:​lslb:​adc-ssl12.png|}}
Line 74: Line 78:
 {{:​litespeed_wiki:​lslb:​adc-ssl13.png|}} {{:​litespeed_wiki:​lslb:​adc-ssl13.png|}}
  
-a) If you want all traffic between ADC and backend on HTTPS, then map HTTPS vhost to both listener.+  # If you want all traffic between ​the ADC and the backend ​to be on HTTPS, then map the **HTTPS** vhost to **both** listeners. 
 +  # If you want all traffic between the ADC and the backend to be on HTTP, then map the **HTTP** vhost to **both** listeners. 
 +  # If you want traffic separately proxied, then map the **HTTP** vhost to the **HTTP** listener, and map the **HTTPS** vhost to the **HTTPS** ​listener.
  
-b) if you want all traffic between ADC and backend on HTTP, then map HTTP vhost to both listener.+===== Additional Note =====
  
-c) If you want traffic separately proxied, map HTTP vhost to HTTP listener ​and map HTTPS vhost to HTTPS listener, respectively.+A listener on port 80 is a must-have, even if you want to use HTTPS all the way. This is because a user's first connection to your domain could be HTTPand in that case an HTTPS redirect would need to be sent.
  
- +If you want to force HTTPS on the end-user, you can also add 301 HTTPS redirect rewrite rule on the ADC vhost'​s rewrite rule tab.
-===== Additional note ===== +
- +
-Listener on port 80 is must have even you want to use HTTPS all the way , because user's first connection to your domain could be HTTP, so will need to send out HTTPS redirect. +
- +
-If you want to force HTTPS on end-user , you can also add 301 HTTPS redirect rewrite rule on ADC vhost'​s rewrite rule tab.+
  
 {{:​litespeed_wiki:​lslb:​adc-ssl14.png|}} {{:​litespeed_wiki:​lslb:​adc-ssl14.png|}}
  
- +If you want to force HTTPS on the end-user, but allow HTTP between ​the ADC and the backend, you may need to disable ​the HTTPS redirect on your backend and let the ADC send out the redirection. Otherwise ​it might cause an infinite loopas the backend will always see traffic ​coming ​on HTTP.
-If you want to force HTTPS on end-user, ​ but HTTP between ADC and backend, you may need to disable HTTPS redirect on your backend and let ADC send out the redirection, otherwise ​it might cause infinite loop as backend will always see traffic ​comes on HTTP+
  
  
  • Admin
  • Last modified: 2019/02/08 19:07
  • by Lisa Clarke