This section explains the configuration process using the Avi Load Balancer CLI.
The below example adds an SSL profile selector to the pre-existing VS named vs-1
.
The client IP list is the conjunction of pre-existing IP groups named Internal and Ip-grp-2
. These two and the ssl_profile_ref
(named sslprofile-2
in this example) must be pre-configured earlier according to the requirements of the traffic flow and SSL algorithms.
Some output lines have been removed for the sake of brevity.
<pre><code>[admin:10-160-3-76]: > configure virtualservice vs-1 Updating an existing object. Currently, the object is: +------------------------------------+-----------------------------------------------------+ | Field | Value | +------------------------------------+-----------------------------------------------------+ | uuid | virtualservice-08ba76c3-faab-430d-86db-a4d9703effa4 | | name | vs-1 | | enabled | True | | services[1] | | | port | 80 | | enable_ssl | False | | port_range_end | 80 | | services[2] | | | port | 443 | | enable_ssl | True | | port_range_end | 443 | | application_profile_ref | System-HTTP | | network_profile_ref | System-TCP-Proxy | | pool_ref | vs-1-pool | | se_group_ref | Default-Group | | network_security_policy_ref | vs-vs-1-Default-Cloud-ns | | http_policies[1] | | | index | 11 | | http_policy_set_ref | vs-1-Default-Cloud-HTTP-Policy-Set-0 | | ssl_key_and_certificate_refs[1] | System-Default-Cert | | ssl_profile_ref | System-Standard | . . . | vip[1] | | | vip_id | 1 | | ip_address | 10.160.221.250 | | enabled | True | | auto_allocate_ip | False | | auto_allocate_floating_ip | False | | avi_allocated_vip | False | | avi_allocated_fip | False | | auto_allocate_ip_type | V4_ONLY | | vsvip_ref | vsvip-vs-1-Default-Cloud | | use_vip_as_snat | False | | traffic_enabled | True | | allow_invalid_client_cert | False | +------------------------------------+-----------------------------------------------------+ [admin:10-160-3-76]: virtualservice> ssl_profile_selectors New object being created [admin:10-160-3-76]: virtualservice:ssl_profile_selectors> client_ip_list [admin:10-160-3-76]: virtualservice:ssl_profile_selectors:client_ip_list> match_criteria is_in [admin:10-160-3-76]: virtualservice:ssl_profile_selectors:client_ip_list> group_refs Internal [admin:10-160-3-76]: virtualservice:ssl_profile_selectors:client_ip_list> group_refs Ip-grp-2 [admin:10-160-3-76]: virtualservice:ssl_profile_selectors:client_ip_list> save [admin:10-160-3-76]: virtualservice:ssl_profile_selectors> ssl_profile_ref sslprofile-2 [admin:10-160-3-76]: virtualservice:ssl_profile_selectors> save [admin:10-160-3-76]: virtualservice> save +------------------------------------+-----------------------------------------------------+ | Field | Value | +------------------------------------+-----------------------------------------------------+ | uuid | virtualservice-08ba76c3-faab-430d-86db-a4d9703effa4 | | name | vs-1 | | enabled | True | | services[1] | | | port | 80 | | enable_ssl | False | | port_range_end | 80 | | services[2] | | | port | 443 | | enable_ssl | True | | port_range_end | 443 | | application_profile_ref | System-HTTP | | network_profile_ref | System-TCP-Proxy | | pool_ref | vs-1-pool | | se_group_ref | Default-Group | | network_security_policy_ref | vs-vs-1-Default-Cloud-ns | | http_policies[1] | | | index | 11 | | http_policy_set_ref | vs-1-Default-Cloud-HTTP-Policy-Set-0 | | ssl_key_and_certificate_refs[1] | System-Default-Cert | | ssl_profile_ref | System-Standard | . . . | vip[1] | | | vip_id | 1 | | ip_address | 10.160.221.250 | | enabled | True | | auto_allocate_ip | False | | auto_allocate_floating_ip | False | | avi_allocated_vip | False | | avi_allocated_fip | False | | auto_allocate_ip_type | V4_ONLY | | vsvip_ref | vsvip-vs-1-Default-Cloud | | use_vip_as_snat | False | | traffic_enabled | True | | allow_invalid_client_cert | False | | ssl_profile_selectors[1] | | | client_ip_list | | | match_criteria | IS_IN | | group_refs[1] | Internal | | group_refs[2] | Ip-grp-2 | | ssl_profile_ref | sslprofile-2 | +------------------------------------+-----------------------------------------------------+ [admin:10-160-3-76]: ></code></pre>
A virtual service’s SSL profile selector client IP list does not (yet) support implicit IP configurations. Use group UUIDs.
An SSL profile selector configuration requires the virtual service to have at least one SSL-enabled service port. Otherwise, it must be a child virtual service.
A child virtual service will not inherit its parent virtual service’s SSL profile selectors; just the parent’s default SSL profile.