====== How To Set Up LiteSpeed Web ADC To Proxy Traffic ====== In this guide we will explain how to set up following 3 scenarios: - SSL offloading, in which ADC-to-end-user connections will be available as both HTTP and HTTPS, but the ADC will connect to the backend server with HTTP. (This scenario should only apply if both servers are in a private network to reduce server load. It's not recommended if both servers are connected via public network.) - Keep an SSL connection between the ADC and the backend, and make ADC-to-end-user connections available as both HTTP and HTTPS. - HTTP to HTTP, and HTTPS to HTTPS only. **NOTE**: For this example, the backend server IP is ''.114'' and the ADC server IP is ''.211'' ===== Create Clusters ===== Log into the ADC WebAdmin Console via ''https://YOUR_SERVER_IP:7090'', and create 2 layer 7 clusters for HTTP and HTTPS. **NOTE**: If you want to keep SSL between the ADC and backend server, you can skip the HTTP cluster. ==== For HTTP ==== Navigate to **Configuration > Cluster**. {{:litespeed_wiki:lslb:adc-ssl1.png|}} {{:litespeed_wiki:lslb:adc-ssl3.png|}} Navigate to the **Worker Group** tab, and create a worker with your backend server's IP and port. Set up the ''HTTP Proxy'' **Type** first, and set **Default Target Port** to ''80''. {{:litespeed_wiki:lslb:adc-ssl4.png|}} ==== For HTTPS ==== Repeat the previous process and create a cluster and worker for HTTPS traffic. {{:litespeed_wiki:lslb:adc-ssl5.png|}} use the same settings as for the HTTP worker , but change **Default Target Port** to ''443'' and **Type** to ''HTTPS''. {{:litespeed_wiki:lslb:adc-ssl6.png|}} ===== Create Virtual Hosts ===== **NOTE**: If you want to keep SSL between the ADC and backend server, you can skip the HTTP vhost. ==== For HTTP ==== Navigate to **Configuration > Virtual Host**, create a virtual host, and choose ''HTTP'' for **Default Cluster**. {{:litespeed_wiki:lslb:adc-ssl2.png|}} {{:litespeed_wiki:lslb:adc-ssl7.png|}} ==== For HTTPS ==== Create another virtual host, and choose ''HTTPS'' for **Default Cluster**. {{:litespeed_wiki:lslb:adc-ssl8.png|}} For HTTPS, you also need to set up SSL. {{:litespeed_wiki:lslb:adc-ssl9.png|}} ===== Create Listeners ===== Create two Layer 7 listeners for ports 80 and 443. For the HTTPS listener, **Secure** must be set to ''Yes'' {{:litespeed_wiki:lslb:adc-ssl10.png|}} You will also need to set up SSL for the listener, otherwise it will fail to start. Listener certificate is not important. It can be any certificate, even self-signed. The vhost SSL will override listener SSL. {{:litespeed_wiki:lslb:adc-ssl11.png|}} ===== Map Domains to Both Listeners ===== {{:litespeed_wiki:lslb:adc-ssl12.png|}} {{:litespeed_wiki:lslb:adc-ssl13.png|}} - If you want all traffic between the ADC and the backend to be on HTTPS, then map the **HTTPS** vhost to **both** listeners. - If you want all traffic between the ADC and the backend to be on HTTP, then map the **HTTP** vhost to **both** listeners. - If you want traffic separately proxied, then map the **HTTP** vhost to the **HTTP** listener, and map the **HTTPS** vhost to the **HTTPS** listener. ===== Additional Note ===== A listener on port 80 is a must-have, even if you want to use HTTPS all the way. This is because a user's first connection to your domain could be HTTP, and in that case an HTTPS redirect would need to be sent. If you want to force HTTPS on the end-user, you can also add a 301 HTTPS redirect rewrite rule on the ADC vhost's rewrite rule tab. {{:litespeed_wiki:lslb:adc-ssl14.png|}} If you want to force HTTPS on the end-user, but allow HTTP between the ADC and the backend, you may need to disable the HTTPS redirect on your backend and let the ADC send out the redirection. Otherwise it might cause an infinite loop, as the backend will always see traffic coming on HTTP.