Layer 7 server load balancing SSL termination configuration example

Network requirements

In Figure 51, physical servers Server A, Server B, and Server C provide HTTP services, and are in descending order of hardware configuration.

Configure server load balancing on the LB device to distribute user requests among the servers based on their hardware performance, and use health monitoring to monitor reachability of the servers.

The LB device establishes an HTTPS connection encrypted by SSL with the host, and establishes HTTP connections with the servers. The LB device must terminate the SSL session with the host before establishing a TCP connection with a server.

Figure 51: Network diagram

Configuration procedure

Configure the LB device:

Configure IP addresses for interfaces.

<LB> system-view
[LB] interface gigabitethernet 1/0/1
[LB-GigabitEthernet1/0/1] ip address 61.159.4.100 24
[LB-GigabitEthernet1/0/1] quit
[LB] interface gigabitethernet 1/0/2
[LB-GigabitEthernet1/0/2] ip address 192.168.1.100 24
[LB-GigabitEthernet1/0/2] quit

Configure a server farm.
# Create the SSL-type NQA template t1.
```
<LB> system-view
[LB] nqa template ssl t1
[LB-nqatplt-ssl-t1] quit
```
# Create the server farm sf, and specify the scheduling algorithm as weighted round robin and health monitoring method as t1.
```
[LB] server-farm sf
[LB-sfarm-sf] predictor round-robin
[LB-sfarm-sf] probe t1
[LB-sfarm-sf] quit
```
Configure an SSL server policy:
# Configure PKI domain 1. (For more information about configuring a PKI domain, see Security Configuration Guide.)
```
[LB] pki domain 1
```
# Create an SSL server policy named ssp.
```
[LB] ssl server-policy ssp
```
# Specify PKI domain 1 for SSL server policy ssp.
```
[LB-ssl-server-policy-ssp] pki-domain 1
```
# Enable client authentication.
```
[LB-ssl-server-policy-ssp] client-verify enable
[LB-ssl-server-policy-ssp] quit
```
# Apply SSL server policy ssp to control HTTPS access.
```
[LB] ip https ssl-server-policy ssp
```
# Enable the HTTPS service.
```
[LB] ip https enable
```
# Create a local user named usera, set the password to 123 in plaintext form, specify the service type as HTTPS, and specify the user role for the local user as network-admin.
```
[LB] local-user usera
[LB-luser-usera] password simple 123
[LB-luser-usera] service-type https
[LB-luser-usera] authorization-attribute user-role network-admin
```

Configure real servers.

# Create the real server rs1 with IPv4 address 192.168.1.1, port number 8080, and weight 150, and add it to the server farm sf.

[LB] real-server rs1
[LB-rserver-rs1] ip address 192.168.1.1
[LB-rserver-rs1] port 8080
[LB-rserver-rs1] weight 150
[LB-rserver-rs1] server-farm sf
[LB-rserver-rs1] quit

# Create the real server rs2 with IPv4 address 192.168.1.2, port number 8080, and weight 120, and add it to the server farm sf.

[LB] real-server rs2
[LB-rserver-rs2] ip address 192.168.1.2
[LB-rserver-rs2] port 8080
[LB-rserver-rs2] weight 120
[LB-rserver-rs2] server-farm sf
[LB-rserver-rs2] quit

# Create the real server rs3 with IPv4 address 192.168.1.3, port number 8080, and weight 80, and add it to the server farm sf.

[LB] real-server rs3
[LB-rserver-rs3] ip address 192.168.1.3
[LB-rserver-rs3] port 8080
[LB-rserver-rs3] weight 80
[LB-rserver-rs3] server-farm sf
[LB-rserver-rs3] quit

Configure a virtual server.

# Create the HTTP virtual server vs with VSIP 61.159.4.100 and port number 443, and specify its default master server farm sf.

[LB] virtual-server vs type http
[LB-vs-http-vs] virtual ip address 61.159.4.100
[LB-vs-http-vs] port 443
[LB-vs-http-vs] default server-farm sf

# Specify the SSL server policy ssp for the virtual server.

[LB-vs-http-vs] ssl-server-policy ssp

# Enable the virtual server.

[LB-vs-http-vs] service enable
[LB-vs-http-vs] quit

Configure the physical servers:
# Specify the default gateway 192.168.1.100 for physical servers Server A, Server B, and Server C. (Details not shown.)

Verifying the configuration

# Display brief information about all real servers.

[LB] display real-server brief
Real server      Address              Port  State      VPN instance    Server farm
rs1              192.168.1.1          8080  Active                     sf
rs2              192.168.1.2          8080  Active                     sf
rs3              192.168.1.3          8080  Active                     sf

# Display detailed information about all server farms.

[LB] display server-farm
Server farm: sf
  Description:
  Predictor: Round robin
  Proximity: Disabled
  NAT: Enabled
  SNAT pool:
  Failed action: Keep
  Active threshold: Disabled
  Slow-online: Disabled
  Selected server: Disabled
  Total real server: 3
  Active real server: 3
  Real server list:
  Name             State    VPN instance     Address          Port  Weight Priority
  rs1              Active                    192.168.1.1      8080  150    4
  rs2              Active                    192.168.1.2      8080  120    4
  rs3              Active                    192.168.1.3      8080  80     4

# Display detailed information about all virtual servers.

[LB] display virtual-server
Virtual server: vs
  Description:
  Type: HTTP
  State: Active
  VPN instance:
  Virtual IPv4 address: 61.159.4.100/32
  Virtual IPv6 address: --
  Port: 443
  Default server farm: sf (in use)
  Backup server farm:
  Sticky:
  LB policy:
  HTTP parameter profile:
  Connection limit: --
  Rate limit:
    Connections: --
    Bandwidth: --
    Inbound bandwidth: --
    Outbound bandwidth: --
  SSL server policy: ssp
  SSL client policy:
  Redirect relocation:
  Redirect return-code: 302
  Connection synchronization: Disabled
  Sticky synchronization: Disabled
  Bandwidth busy protection: Disabled
  Interface bandwidth statistics: Disabled
  Route advertisement: Disabled

prev	up	next
Basic Layer 7 server load balancing configuration example	home	Configuring outbound link load balancing