Cisco Systems 6500 manual Client-ip-port, Custom custom-string, Prefix, Session

Page 63

Chapter 2 Commands for the Catalyst 6500 Series SSL Services Module

 

 

 

policy http-header

 

 

 

 

Table 2-3 HTTP Header Insertion Configuration Submode Command Descriptions (continued)

 

 

 

 

 

 

 

 

 

Syntax

Description

 

 

 

 

 

 

 

 

 

client-ip-port

Inserts the client IP address and information about the client port into

 

 

 

 

the HTTP header, allowing the server to see the client IP address and

 

 

 

 

port.

 

 

 

 

 

 

 

 

 

custom custom-string

Inserts the custom-stringheader into the HTTP header.

 

 

 

 

 

 

 

 

 

prefix

Adds the prefix-stringto the HTTP header to enable the server to

 

 

 

 

identify the connections that come from the SSL module, not from other

 

 

 

 

appliances

 

 

 

 

 

 

 

 

 

session

Passes information that is specific to an SSL connection to the back-end

 

 

 

 

server as session headers.

 

 

 

 

 

 

 

 

 

 

 

 

 

Examples

 

This example shows how to enter the HTTP header insertion configuration submode:

 

 

 

ssl-proxy(config)#ssl-proxy context s1

 

 

 

ssl-proxy(config-context)# policy http-header test1

 

 

 

ssl-proxy(config-ctx-http-header-policy)#

 

This example shows how to allow the back-end server to see the attributes of the client certificate that the SSL module has authenticated and approved:

ssl-proxy(config-ctx-http-header-policy)# client-certssl-proxy(config-ctx-http-header-policy)#

This example shows how to insert the client IP address and information about the client port into the HTTP header, allowing the server to see the client IP address and port:

ssl-proxy(config-ctx-http-header-policy)# client-ip-portssl-proxy(config-ctx-http-header-policy)#

This example shows how to insert the custom-string header into the HTTP header:

ssl-proxy(config-ctx-http-header-policy)# custom "SOFTWARE VERSION:3.1(1)" ssl-proxy(config-ctx-http-header-policy)# custom "module:SSL MODULE - CATALYST 6500" ssl-proxy(config-ctx-http-header-policy)# custom type-of-proxy:server_proxy_1024_bit_key_sizessl-proxy(config-ctx-http-header-policy)#

This example shows how to add the prefix-string into the HTTP header:

ssl-proxy(config-ctx-http-header-policy)# prefix SSL-OFFLOADssl-proxy(config-ctx-http-header-policy)#

This example shows how to pass information that is specific to an SSL connection to the back-end server as session headers:

ssl-proxy(config-ctx-http-header-policy)# session ssl-proxy(config-ctx-http-header-policy)#

This example shows how to create a header alias for the standard “session-cipher-name” header:

ssl-proxy(config-ctx-http-header-policy)#alias My-Session-Cipher session-cipher-name

Catalyst 6500 Series Switch SSL Services Module Command Reference

 

OL-9105-01

2-37

 

 

 

Image 63
Contents Text Part Number OL-9105-01 Corporate HeadquartersPage Iii N T E N T SNatpool Acronyms A-1 OL-9105-01 Chapter Title Description AudienceOrganization Related DocumentationExample, interface interface type ConventionsConvention Description Boldface fontCisco.com Obtaining DocumentationCisco Product Security Overview Documentation FeedbackObtaining Technical Assistance Reporting Security Problems in Cisco ProductsXii Submitting a Service RequestXiii Obtaining Additional Publications and InformationXiv This chapter includes the following sections Getting HelpHow to Find Command Options Command Comment Complete the command. If additional Must enter next on the command lineMode keyword After you enter the mode keywordConfigure terminal Understanding Command ModesCommand Mode Access Method Prompt Exit Method Configure terminal privileged ExecWith an interface Using the No and Default Forms of CommandsInterface command Image using the boot system flash filenameCharacter Special Meaning Using the CLI String SearchDA-D \$ \ \+Aeiou AbcdABCDThis string matches any number of asterisks Telebit 3107 v32bisCharacter Ba?b$\.12 Za-z0-9+Codex telebit AbcdWith For example1300 1300$ 1300space space1300 1300, ,1300, 1300 ,1300OL-9105-01 A P T E R Release Modification DefaultsCommand Modes Command History Clear ssl-proxy connDefaults Command Modes Command History Clear ssl-proxy contentUsage Guidelines Clear ssl-proxy sessionClear ssl-proxy stats Ssl-proxy#clear ssl-proxy stats 3des Crypto pki export pemTerminal DesCrypto pki import pem Related CommandsUsage-keys Defaults Command HistoryCrypto pki import pem ExportableCrypto pki export pem Crypto pki export pkcs12 This example shows how to export a PKCS12 file using SCP Crypto pki import pkcs12 This example shows how to import a PKCS12 file using SCP Filename TP2? /users/admin-1/pkcs12/TP2.p12Crypto Crypto key encrypt rsa Crypto key decrypt rsaName key-name Passphrase passphraseCrypto key encrypt rsa Crypto key decrypt rsaCrypto key lock rsa Crypto key export rsa pem Keylabel Name of the keyOptional Specifies that the key can be exported Key nametest-keys UsageGeneral Purpose Key System-Imports from the system file system Crypto key import rsa pemInstead of one general-purpose key pair Null-Imports from the null file systemPEM-formatted RSA key to the SSL Services Module Passphrase passphrase Crypto key lock rsaCrypto key lock rsa name key-namepassphrase passphrase Name key-name Optional Name of the keyCrypto key unlock rsa name key-namepassphrase passphrase Crypto key unlock rsaDebug ssl-proxy Command History Release Modification This example shows how to turn on App debugging Do command Command EXEC-level command to be executedConfiguration mode Syntax Description Defaults Command Modes Command History Interface ssl-proxySyntax Description Standby ip Standby authenticationStandby delay minimum reload Standby timersSsl-proxyconfig-subif#ip address 208.59.100.18 Ssl-proxy config# interface ssl-proxyNatpool nat-pool-name startipaddr endipaddr netmask netmask Context subcommand modeThis example shows how to define a pool of IP addresses NatpoolFailed-interval seconds Syntax Description Defaults Command ModesPolicy health-probe tcp Interval secondsRunning on server IP address Open-timeout secondsSsl-proxyconfig#ssl-proxy context ssl Ssl-proxyconfig-context#policy health-probe tcp probe1Page Policy that is applied to the payload Policy http-headerClient-cert pem AliasField To Insert Description Client-cert pem Prefix Client-ip-portCustom custom-string Inserts the custom-stringheader into the Http headerSSL-OFFLOAD-SOFTWARE VERSION3.11 Related Commands show ssl-proxy policyPolicy ssl Close-protocol is disabledSession-caching is enabled Timeout session timeout absoluteSSL-Policy Configuration Submode Command Descriptions Renegotiation interval time Renegotiation volume sizeTimeout handshake timeout HelpOL-9105-01 This example shows how to disable a session cache This example shows how to enable a session cacheOL-9105-01 Policy tcp No timeout inactivity timeout-in-seconds Delayed-ack-threshold delayDelayed-ack-timeout timer No timeout fin-wait timeout-in-secondsServer to client connection, the server connection must be No timeout reassembly timeForm of this command to return to the default setting No tos carryoverSsl-proxy config-ctx-tcp-policy# mss Policy url-rewrite Redirectonly Ssl-proxyconfig-context#ssl-proxy policy url-rewrite test1Pool ca Pool ca ca-pool-nameCa-pool-name Certificate authority pool name Service Certificate rsa general-purpose trustpoint Authenticate verify all signature-onlyDefault certificate inservice nat server InserviceVirtual policy ssl ssl-policy-name Virtual policy tcpVlan vlan Related Commands show ssl-proxy service Policy health-probe tcp Policy http-header Service clientVlan vlan Nat server client natpool-nameVirtual policy ssl ssl-policy-name Virtual policy tcpSsl-proxy config-ctx-ssl-proxy# server policy tcp tcppl1 Show ionterfaces Show interfaces ssl-proxyShow interfaces ssl-proxy 0.subinterface Policy tcpSsl-proxy#show ssl-proxy buffers This command has no default settingsShow ssl-proxy buffers Show ssl-proxy buffersShow ssl-proxy certificate-history Show ssl-proxy certificate-history service nameService name Specific proxy serviceRecord 1, Timestamp000051, 163634 UTC Oct 31 Ssl-proxy# show ssl-proxy certificate-historyRelated Commands service Remote Show ssl-proxy conn4tuple LocalSsl-proxy#show ssl-proxy conn Context name Module module200.200.1438814 58796 Name Optional Name of the context Context DefaultShow ssl-proxy context Show ssl-proxy context nameDetails Show ssl-proxy crash-infoShow ssl-proxy crash-info brief details BriefSsl-proxy#show ssl-proxy crash-info brief Stack top Printing 1024 bytes from stack topShow ssl-proxy mac address Show ssl-proxy mac addressSsl-proxy#show ssl-proxy mac address Natpool Show ssl-proxy natpoolShow ssl-proxy natpool namecontext name Context nameUrl-rewrite Show ssl-proxy policyHealth-probe tcp Http-headerSsl-proxy#show ssl-proxy policy tcp tcp-policy1 Ssl-proxy#show ssl-proxy policy ssl ssl-policy1Ssl-proxy#show ssl-proxy policy health-probe tcp tcp-health Ssl-proxy#show ssl-proxy service S6 Show ssl-proxy serviceShow ssl-proxy service namecontext name Ssl-proxy#show ssl-proxy serviceService client Content Show ssl-proxy statsShow ssl-proxy stats type Stats This example shows how to display the PKI statistics This example shows how to display the TCP statisticsThis example shows how to display context statistics Ssl-proxy#show ssl-proxy stats context Context name DefaultSsl-proxy# show ssl-proxy stats hdr Ssl-proxy#show ssl-proxy stats content This example shows how to display content statisticsShow ssl-proxy status Show ssl-proxy status fdu ssl tcpShow ssl-proxy status TCP cpu is alive Show ssl-proxy version Show ssl-proxy versionSsl-proxy#show ssl-proxy version Optional Displays debug information Show ssl-proxy vlanShow ssl-proxy vlan vlan-iddebugmodule module DebugDefaults Command Modes Command History Examples Snmp-server enableDescription description Command Purpose and Guidelines DefaultsSsl-proxy context Ssl-proxy context name No ssl-proxy context namePool ca name Policy ssl policy-namePolicy tcp policy-name Policy url-rewrite policy-nameTime-interval Seconds Global configurationThis example shows how to start a cryptographic self-test Ssl-proxy crypto selftestSsl-proxy mac address This example shows how to configure a MAC addressRelated Commands show ssl-proxy mac address Ssl-proxy config# ssl-proxy mac address 00e0.b0ff.f232Ssl-proxy pki This example shows how to specify the cache size This example shows how to enable PKI event-historyRelated Commands show ssl-proxy stats Key-name Name of the key Passphrase Pass phrase Ssl-proxy crypto key unlock rsaSsl-proxy ip-frag-ttl time Time is 6 seconds Global configurationSsl-proxyconfig#ssl-proxy ip-frag-ttl Ssl-proxy ip-frag-ttlSsl-proxy ssl ratelimit No ssl-proxy ssl ratelimit Ssl-proxy config# ssl-proxy ssl ratelimitSsl-proxy config# no ssl-proxy ssl ratelimit Ssl-proxy ssl ratelimitGroup-number is String is cisco Standby authenticationMin-delay is 1 second Reload-delay is 5 seconds Standby delay minimum reloadShow standby delay Ssl-proxyconfig#interface ssl-proxySsl-proxyconfig-subif#standby delay minimum 30 reload Group-number is Defaults Command Modes Command History Usage GuidelinesStandby ip Secondary100 Used by the hot standby group is learned using HsrpMac-address MAC address Standby mac-addressStandby group-numbermac-addressmac-address No standby group-numbermac-address102 Ssl-proxyconfig-subif#standby 1 mac-addressThat is used in the end nodes Show standbyStandby mac-refresh Standby mac-refresh seconds no standby mac-refresh103 Group-name Name of the standby group Hsrp is disabledStandby name Standby name group-name No standby name group-name105 Standby preemptTo become the active router Operation returns to the default behaviorLeaves any synchronization delay if it was configured ClientsGroup-number is Priority is Standby priorityStandby group-numberpriority priority No standby group-numberpriority priority108 This example shows how to change the router priority109 Standby redirects110 Related Commands show standbySsl-proxyconfig-subif#standby redirects timers 90 Show standby redirect111 Standby timersMsec Optional Specifies the interval in milliseconds112 113 Standby trackDecrement priority Or comes back up114 Router a ConfigurationRouter B Configuration Related Commands standby preemptOn which it was entered, instead of the major interface Standby use-biaStandby use-bia scope interface no standby use-bia Scope interfaceSpecifies Hsrp version This example shows how to configure Hsrp versionStandby version Standby version 1Acronym Expansion CEF CbacCCA CDPDspu DramDsap DscpIDP ICDIcmp IDBMFD MD5Mdix MdssPAE OSIOSM OspfRPC RmonROM RommonTACACS+ STPSVC SVIXerox Network System Weighted round-robinWRR XNSOL-9105-01 Acknowledgments for Open-Source Software OL-9105-01 IN-1 # character privileged Exec mode promptAsterisk + plus sign Period ? command Caret $ characterIN-2 IN-3 IN-4 IN-5 TCPIN-6 Configuration submode User Exec mode, summary
Related manuals
Manual 20 pages 62.17 Kb Manual 112 pages 18.84 Kb Manual 262 pages 31.67 Kb