Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
litespeed_wiki:lslb:basic_config_ssl [2019/02/08 14:36]
qtwrk 		litespeed_wiki:lslb:basic_config_ssl [2019/02/08 19:07]
Lisa Clarke [Map Domains to Both Listeners]
Line 1: Line 1:
-====== How To Set Up LiteSpeed ADC To Proxy Traffic ======+====== How To Set Up LiteSpeed ​Web ADC To Proxy Traffic ======
  
 In this guide we will explain how to set up following 3 scenarios: In this guide we will explain how to set up following 3 scenarios:
  
-a) SSL offloading, which means ADC to end-user ​connection ​will be available as both HTTP and HTTPS , but ADC will connect to backend server with HTTP (should only apply if both server ​are in private network to reduce server loadnot recommended if both servers are connected via public network)+  - SSL offloading, ​in which ADC-to-end-user ​connections ​will be available as both HTTP and HTTPS, but the ADC will connect to the backend server with HTTP(This scenario ​should only apply if both servers ​are in private network to reduce server load. It'​s ​not recommended if both servers are connected via public network.) 
 +  - Keep an SSL connection between the ADC and the backend, and make ADC-to-end-user connections available as both HTTP and HTTPS. 
 +  - HTTP to HTTP, and HTTPS to HTTPS only.
  
-b) Keep SSL connection between ADC and backendand ADC to end-user connection will be available as both HTTP and HTTPS.+**NOTE**: For this example, the backend ​server IP is ''​.114'' ​and the ADC server IP is ''​.211''​
  
-c) HTTP to HTTP and HTTPS to HTTPS receptively.+===== Create Clusters ===== 
 +Log into the ADC WebAdmin Console via ''<​nowkiki>​https://​YOUR_SERVER_IP:​7090</​nowiki>'',​ and create 2 layer 7 clusters for HTTP and HTTPS. ​
  
 +**NOTE**: If you want to keep SSL between the ADC and backend server, you can skip the HTTP cluster.
  
 +==== For HTTP ====
  
- +Navigate ​to **Configuration > Cluster**.
- +
- +
-Backend server IP is **.114** +
- +
-ADC server IP is **.211** +
- +
-Login to ADC webadmin console via https://​YOUR_SERVER_IP:​7090  +
- +
-1. Create a 2 layer 7 clusters for HTTP and HTTPS **(you can skip HTTP cluster and vhost in following steps if you want keep SSL between ADC and backend server)** +
- +
-Go to Configuration - Cluster.+
  
 {{:​litespeed_wiki:​lslb:​adc-ssl1.png|}} {{:​litespeed_wiki:​lslb:​adc-ssl1.png|}}
Line 28: Line 22:
 {{:​litespeed_wiki:​lslb:​adc-ssl3.png|}} {{:​litespeed_wiki:​lslb:​adc-ssl3.png|}}
  
-And now go to ''​Worker Group'' ​tab, create a worker with your backend server IP and port+Navigate ​to the **Worker Group** tab, and create a worker with your backend server'​s ​IP and port.
  
-First we will set up **HTTP** proxyso set port to **80** +Set up the ''​HTTP Proxy'' ​**Type** firstand set **Default Target Port** to ''​80''​.
  
 {{:​litespeed_wiki:​lslb:​adc-ssl4.png|}} {{:​litespeed_wiki:​lslb:​adc-ssl4.png|}}
  
 +==== For HTTPS ====
  
-2. Now repeat ​the previous process and create a cluster and worker for HTTPS traffic.+Repeat ​the previous process and create a cluster and worker for HTTPS traffic.
  
 {{:​litespeed_wiki:​lslb:​adc-ssl5.png|}} {{:​litespeed_wiki:​lslb:​adc-ssl5.png|}}
  
-Same setting ​as HTTP worker , but change ​port to 443 and type to HTTPS+use the same settings ​as for the HTTP worker , but change ​**Default Target Port** ​to ''​443'' ​and **Type** ​to ''​HTTPS''​.
  
 {{:​litespeed_wiki:​lslb:​adc-ssl6.png|}} {{:​litespeed_wiki:​lslb:​adc-ssl6.png|}}
  
-3Go to configuration - virtual host, create virtual host for HTTP, choose ​cluster ​HTTP +===== Create Virtual Hosts ===== 
 + 
 +**NOTE**: If you want to keep SSL between the ADC and backend server, you can skip the HTTP vhost. 
 + 
 +==== For HTTP ==== 
 + 
 +Navigate ​to **Configuration > Virtual Host**, create ​virtual host, and choose ​''​HTTP''​ for **Default Cluster**.
  
 {{:​litespeed_wiki:​lslb:​adc-ssl2.png|}} {{:​litespeed_wiki:​lslb:​adc-ssl2.png|}}
Line 49: Line 50:
 {{:​litespeed_wiki:​lslb:​adc-ssl7.png|}} {{:​litespeed_wiki:​lslb:​adc-ssl7.png|}}
  
-4. Create another virtual host for HTTPS , choose ​cluster ​HTTPS+==== For HTTPS ==== 
 + 
 +Create another virtual host, and choose ​''​HTTPS''​ for **Default Cluster**.
  
 {{:​litespeed_wiki:​lslb:​adc-ssl8.png|}} {{:​litespeed_wiki:​lslb:​adc-ssl8.png|}}
  
-For HTTPS, ​we will also need to set up SSL for it.+For HTTPS, ​you also need to set up SSL.
  
 {{:​litespeed_wiki:​lslb:​adc-ssl9.png|}} {{:​litespeed_wiki:​lslb:​adc-ssl9.png|}}
  
-5. Create ​2 layer 7 listeners for 80 and 443 port, for HTTPS listener , **Secure** must be set to **Yes**+===== Create Listeners ===== 
 + 
 +Create ​two Layer 7 listeners for ports 80 and 443. For the HTTPS listener, **Secure** must be set to ''​Yes''​
  
 {{:​litespeed_wiki:​lslb:​adc-ssl10.png|}} {{:​litespeed_wiki:​lslb:​adc-ssl10.png|}}
  
-We will also need to set up SSL for listener , otherwise it will fail to start.+You will also need to set up SSL for the listener, otherwise it will fail to start.
  
-Listener ​cert is not important ​, it can be any cert even self-signedvhost SSL will override listener SSL.+Listener ​certificate ​is not important. It can be any certificate, ​even self-signed. The vhost SSL will override listener SSL.
  
 {{:​litespeed_wiki:​lslb:​adc-ssl11.png|}} {{:​litespeed_wiki:​lslb:​adc-ssl11.png|}}
  
- +===== Map Domains ​to Both Listeners ​=====
-===== Map domains ​to both listeners ​=====+
  
 {{:​litespeed_wiki:​lslb:​adc-ssl12.png|}} {{:​litespeed_wiki:​lslb:​adc-ssl12.png|}}
Line 74: Line 78:
 {{:​litespeed_wiki:​lslb:​adc-ssl13.png|}} {{:​litespeed_wiki:​lslb:​adc-ssl13.png|}}
  
-a) If you want all traffic between ADC and backend on HTTPS, then map HTTPS vhost to both listener.+  - If you want all traffic between ​the ADC and the backend ​to be on HTTPS, then map the **HTTPS** vhost to **both** listeners. 
 +  - If you want all traffic between the ADC and the backend to be on HTTP, then map the **HTTP** vhost to **both** listeners. 
 +  - If you want traffic separately proxied, then map the **HTTP** vhost to the **HTTP** listener, and map the **HTTPS** vhost to the **HTTPS** ​listener.
  
-b) if you want all traffic between ADC and backend on HTTP, then map HTTP vhost to both listener.+===== Additional Note =====
  
-c) If you want traffic separately proxied, map HTTP vhost to HTTP listener ​and map HTTPS vhost to HTTPS listener, respectively.+A listener on port 80 is a must-have, even if you want to use HTTPS all the way. This is because a user's first connection to your domain could be HTTPand in that case an HTTPS redirect would need to be sent.
  
- +If you want to force HTTPS on the end-user, you can also add 301 HTTPS redirect rewrite rule on the ADC vhost'​s rewrite rule tab.
-===== Additional note ===== +
- +
-Listener on port 80 is must have even you want to use HTTPS all the way , because user's first connection to your domain could be HTTP, so will need to send out HTTPS redirect. +
- +
-If you want to force HTTPS on end-user , you can also add 301 HTTPS redirect rewrite rule on ADC vhost'​s rewrite rule tab.+
  
 {{:​litespeed_wiki:​lslb:​adc-ssl14.png|}} {{:​litespeed_wiki:​lslb:​adc-ssl14.png|}}
  
- +If you want to force HTTPS on the end-user, but allow HTTP between ​the ADC and the backend, you may need to disable ​the HTTPS redirect on your backend and let the ADC send out the redirection. Otherwise ​it might cause an infinite loopas the backend will always see traffic ​coming ​on HTTP.
-If you want to force HTTPS on end-user, ​ but HTTP between ADC and backend, you may need to disable HTTPS redirect on your backend and let ADC send out the redirection, otherwise ​it might cause infinite loop as backend will always see traffic ​comes on HTTP+
  
  
  • Admin
  • Last modified: 2019/02/08 19:07
  • by Lisa Clarke