< Home

CLI: Example for Configuring Association between Load Balancing and SSL Uninstallation

This example describes how to configure SSL uninstallation-based HTTP server load balancing.

Networking Requirement

The intranet server provides the HTTPS service externally. The increasing service volume and consumption of computing resources of the server by SSL encryption computation lead to insufficient processing capability of the original server. After SSL uninstallation is enabled on the FW, the FW acts as an SSL proxy server for SSL data encryption and decryption. The restored HTTP traffic can be read directly by the intranet server to implement smooth transfer, greatly reducing the processing payload of the intranet server.

As shown in Figure 1, an enterprise has two web server groups: Servers1 and Servers2. Server group Servers1 contain two servers: Server1 and Server2. Server1 performance is twice of Server2 performance. Server group Servers2 contain two servers: Server3 and Server4. Server3 performance is the same as Server4 performance. Server groups Servers1 and Servers2 provide the HTTP service externally. Servers1 provides the unique URL service externally. In addition, the health check function is configured to monitor the work of the servers.

Figure 1 Networking for configuring SSL uninstallation-based HTTP server load balancing

Configuration Roadmap

  1. Configure interface IP addresses, security zones, and security policies.
  2. Four servers have different functions and performance. The HTTP scheduling policies must be configured based on the functions. Select the URL field to configure an HTTP scheduling policy so that the FW allocates the traffic matching the HTTP scheduling policy to server group Servers1. For load balancing of Server groups Servers1 and Servers2, the load balancing algorithm can be Weighted Least Connections.
  3. Configure the health check function on the FW to check server connectivity. In this example, the protocol type is set to ICMP for health check. You can also use HTTP. To allow the FWto send health check packets, configure a Local -> DMZ security policy (the servers reside in the DMZ).
  4. Configure the sticky session function on the FW because a client may need to establish multiple connections to a server for one task. In this manner, the connection request packets from the client can be allocated to the same server. As the servers provide HTTP services, the sticky session method can be set to HTTP Cookie-insert.

Procedure

  1. Set the IP addresses of the interfaces and add the interfaces to corresponding security zones.

    <FW> system-view
[FW] interface GigabitEthernet 0/0/1
[FW-GigabitEthernet0/0/1] ip address 1.1.1.1 24
[FW-GigabitEthernet0/0/1] quit
[FW] interface GigabitEthernet 0/0/2
[FW-GigabitEthernet0/0/2] ip address 192.168.1.254 24
[FW-GigabitEthernet0/0/2] quit
[FW] firewall zone untrust
[FW-zone-untrust] add interface GigabitEthernet 0/0/1
[FW-zone-untrust] quit
[FW] firewall zone dmz
[FW-zone-dmz] add interface GigabitEthernet 0/0/2
[FW-zone-dmz] quit

  2. Configure security policies.

    # Configure an Untrust -> DMZ security policy to allow Internet users to access web servers on the enterprise network. The destination IP address of the policy must be the IP address of the virtual server.

    [FW] security-policy
[FW-policy-security] rule name policy1
[FW-policy-security-rule-policy1] source-zone untrust
[FW-policy-security-rule-policy1] destination-zone dmz
[FW-policy-security-rule-policy1] destination-address 1.1.2.10 24
[FW-policy-security-rule-policy1] action permit
[FW-policy-security-rule-policy1] quit
[FW-policy-security] quit

    # Configure a Local -> DMZ security policy to allow the FW to send health probe packets to the real servers.

    [FW] security-policy
[FW-policy-security] rule name policy2
[FW-policy-security-rule-policy2] source-zone local
[FW-policy-security-rule-policy2] destination-zone dmz
[FW-policy-security-rule-policy2] destination-address range 192.168.1.1 192.168.1.4
[FW-policy-security-rule-policy2] action permit
[FW-policy-security-rule-policy2] quit
[FW-policy-security] quit

  3. Configure the sticky session function.

    [FW] slb enable
[FW] slb
[FW-slb] persistence 0 Session
[FW-slb-persistence-0] type cookie-insert aging-time 600
[FW-slb-persistence-0] quit

  4. Configure real server groups Servers1 and Servers2.

    [FW-slb] group 0 Servers1
[FW-slb-group-0] metric weight-least-connection
[FW-slb-group-0] health-check type icmp tx-interval 5 times 3
[FW-slb-group-0] action optimize
[FW-slb-group-0] rserver 0 rip 192.168.1.1 max-connection 40000 port 8080 weight 2 description server1
[FW-slb-group-0] rserver 1 rip 192.168.1.2 max-connection 20000 port 8080 weight 1 description server2
[FW-slb-group-0] quit
[FW-slb] group 1 Servers2
[FW-slb-group-1] metric weight-least-connection
[FW-slb-group-1] health-check type icmp tx-interval 5 times 3
[FW-slb-group-1] action optimize
[FW-slb-group-1] rserver 0 rip 192.168.1.3 max-connection 20000 port 8080 weight 1 description server3
[FW-slb-group-1] rserver 1 rip 192.168.1.4 max-connection 20000 port 8080 weight 1 description server4
[FW-slb-group-1] quit

  5. Configure HTTP scheduling policy http-url.

    [FW-slb] httpclass 0 http-url
[FW-slb-httpclass-0] url example.com/abc.jng mode exact
[FW-slb-httpclass-0] action group Servers1
[FW-slb-httpclass-0] quit
[FW-slb] slb httpclass commit
[FW-slb] quit

  6. Install the local certificates.

    Upload certificate usera.cer to the CF card by FTP or SFTP.

    The decryption password must be consistent with the certificate key, and can be obtained from the server administrator.

    [FW] pki import-certificate local usera.cer no-check-validate no-check-hash-alg

  7. Optional: Install a CA certificate. If SSL offloading is performed on the firewall and the local certificate of the server is issued by a multi-level CA, you need to import both the local certificate and the multi-level CA certificate to the firewall. After the local certificate is referenced, the firewall sends the local certificate and CA certificate chain to the client. The client uses the complete CA certificate chain to verify the validity of the local certificate. Otherwise, a certificate security alarm or connection failure may occur during SSL handshake due to the lack of a complete certificate chain.

    [FW] pki import-certificate ca ca.cer no-check-validate no-check-hash-alg

  8. Configure an SSL uninstallation profile.

    [FW-slb] ssl-profile 0 ssl-p1
[FW-slb-profile-0] server-certificate usera.cer
[FW-slb-profile-0] ssl-version tls1.1
[FW-slb-profile-0] ssl-algorithm medium
[FW-slb-profile-0] session-cache number 500
[FW-slb-profile-0] session-cache timeout 300
[FW-slb-profile-0] quit

  9. Configure virtual service vs-http-1.1.2.10.

    [FW-slb] vserver 1 vs-http-1.1.2.10
[FW-slb-vserver-1] protocol https
[FW-slb-vserver-1] ssl-profile ssl-p1
[FW-slb-vserver-1] vip 0 1.1.2.10
[FW-slb-vserver-1] vport any
[FW-slb-vserver-1] persistence Session
[FW-slb-vserver-1] httpclass http-url
[FW-slb-vserver-1] group Servers2
[FW-slb-vserver-1] quit

Verification

  1. Check static server map entries on the FW. If corresponding server map entries exist, server load balancing is successfully configured.

    [FW] display firewall server-map static
 Current Total Server-map : 1
 Type: SLB,  ANY -> 1.1.2.10[vs-http-1.1.2.10/0],  Zone:---,  protocol:tcp              
 Vpn: public -> public

  2. On the client, access https://1.1.2.10. The client can connect to an HTTP server.

  3. If the server requested traffic is heavy, view the real server groups, such as Servers1, on the FW after some time.

    [FW] display slb group verbose Servers1
Virtual Server Information(Total 1)
-------------------------------------------------------------------------------------------
  Group Name               : Servers1
  Group ID                 : 0
  Metric                   : weight-least-connection
  Source-nat Type          : NA
  Health Check Type        : http                   
  Virtual Server ID        : 0                      
  Real Server Number       : 2
  Current connection       : 215
    RserverID  IP Address       Weight  Status               Ratio  TotalSession  CurSession
    0          192.168.1.1      4       Admin-Active         57.85%         4112         124
    1          192.168.1.2      2       Admin-Active         28.11%         1998          61

Configuration Scripts

#
interface GigabitEthernet 0/0/1
 ip address 1.1.1.1 24
#
interface GigabitEthernet 0/0/2
 ip address 192.168.1.254 24
#
firewall zone untrust
 add interface GigabitEthernet 0/0/1
#
firewall zone dmz
 add interface GigabitEthernet 0/0/2
#
security-policy
 rule name policy1
  source-zone untrust
  destination-zone dmz
  destination-address 1.1.2.10 24
  action permit
 rule name policy2
  source-zone local
  destination-zone dmz
  destination-address range 192.168.1.1 192.168.1.4
  action permit
#
pki import-certificate local usera.cer no-check-validate no-check-hash-alg
#
slb enable
#
slb
 persistence 0 Session
  type cookie-insert aging-time 600 
 httpclass 0 http-url
  url example.com/abc.jng mode exact
  action group Servers1
 slb httpclass commit
 ssl-profile 0 ssl-p1
  server-certificate usera.cer
  ssl-version tls1.1
  ssl-algorithm medium
  session-cache number 500
  session-cache timeout 300
 group 0 Servers1
  metric weight-least-connection
  health-check type icmp tx-interval 5 times 3
  action optimize
  rserver 0 rip 192.168.1.1 max-connection 40000 port 8080 weight 2 description server1
  rserver 1 rip 192.168.1.2 max-connection 40000 port 8080 weight 1 description server2
 group 0 Servers2
  metric weight-least-connection
  health-check type icmp tx-interval 5 times 3
  action optimize
  rserver 2 rip 192.168.1.3 max-connection 20000 port 8080 weight 1 description server3
  rserver 3 rip 192.168.1.4 max-connection 20000 port 8080 weight 1 description server4
 vserver 1 vs-http-1.1.2.10
  vip 0 1.1.2.10
  protocol https
  persistence Session
  ssl-profile ssl-p1
  vport any
  httpclass http-url
  group Servers2
Parent Topic: SLB
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic