Solved: ACE: How to match the hostname in (config-cmap-http-lb) match http url ?

dpetitpierre · ‎08-19-2008

Hello,

In the Application Control Engine Module Command Reference manual,

(http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/command/reference/classmap.html#wp1025903)

the section about "Class Map HTTP Load Balancing Configuration Mode Commands"

mentions for "(config-cmap-http-lb) match http url" that

| Usage Guidelines

|

| Include only the portion of the URL following http://www.hostname.domain in

| the match statement. For example, in the URL

| http://www.anydomain.com/latest/whatsnew.html, include only

| /latest/whatsnew.html. To match the http://www.anydomain.com portion, the

| URL string can take the form of a URL regular expression.

It is a bit contradictory, but my interpretation of this explanation is

that if one uses a regular expression pattern it could match the

hostname portion of the URL. I tried, among others, the following

patterns to no avail:

match http url www[.]hostname[.]domain/.*

match http url /www[.]hostname[.]domain/.*

match http url //www[.]hostname[.]domain/.*

match http url http://www[.]hostname[.]domain/.*

- What is the proper pattern to use to match the hostname portion?

- Is there a way to debug pattern matching (i.e. see what is the input

to match and which "match http url" line matched)?

I would like to use this in order to direct HTTP queries to different

servers depending on specific combinations of (apache virtual) host

and path. One could use

(config-cmap-http-lb) match http header Host header-value www[.]hostname[.]domain

but then one is forced to use "match-all", which becomes very

cumbersome if there are many virtual hosts and a lot of paths patterns

for the same virtual host.

Incidently, the table describing regular expression characters

(http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/command/reference/classmap.html#map.html#wp1025677)

does not mention "(expr)? Zero or one of expression". It works and is

very useful; e.g:

match http url "/path_with_or_without_trailing_slash(/.*)?"

Thanks in advance for you help!

Dominique

Syed Iftekhar Ahmed · ‎08-19-2008

URL is the piece that comes after the HTTP method in the HTTP request

from the client. Since that will not contain the hostname (unless the

request is destined for an HTTP proxy), you will need to read the

hostname from the host header.

If you look at a HTTP request it looks like

GET /index.htm HTTP/1.1\r\n <-- This is the url

Host:www.cisco.com <-- This is the HOST

If you want to match these two conditions then you need to math both HOST and URL.

The syntax would look like:

class-map type http loadbalance match-all xyz

2 match http header Host header-value www[.]cisco[.]com

3 match http url /index.htm

HTH

Syed Iftekhar Ahmed

View solution in original post

Syed Iftekhar Ahmed · ‎08-19-2008

URL is the piece that comes after the HTTP method in the HTTP request

from the client. Since that will not contain the hostname (unless the

request is destined for an HTTP proxy), you will need to read the

hostname from the host header.

If you look at a HTTP request it looks like

GET /index.htm HTTP/1.1\r\n <-- This is the url

Host:www.cisco.com <-- This is the HOST

If you want to match these two conditions then you need to math both HOST and URL.

The syntax would look like:

class-map type http loadbalance match-all xyz

2 match http header Host header-value www[.]cisco[.]com

3 match http url /index.htm

HTH

Syed Iftekhar Ahmed

dpetitpierre · ‎08-20-2008

Thanks for the explanation: it makes sense that the matching is made

on the argument of the method (i.e. an explicit string in the HTTP

protocol rather than a string constructed from various pieces as the

name "URL" would let one believe).

I was confused because by definition an URL is an absolute URI that

always includes the scheme (e.g. "http://") and the host name

(cf. http://tools.ietf.org/html/rfc1738#section-5); i.e. I thought

that the example regular expression patterns given in the manual were

not anchored and thus could match an URL. The piece that comes after

the HTTP request method in the general case should not be called an

URL: it can be an URL but is usually an absolute path (cf

http://tools.ietf.org/html/rfc2616#section-5.1.2).

The manual clarity could be improved by specifying that the pattern

following "match http url" should match the first argument of the HTTP

request method (i.e. "Request-URI" of RFC 2616).

Some logging of the matching process would have helped to understand

what is really happening:

- Is it possible to trace or log "match" lines or class-maps, or more

generally the full classification process?

Best regards,

Dominique

Syed Iftekhar Ahmed · ‎08-20-2008

Using "Show service-policy" you can see which class-map is hit how many times. Its a great help to see if your traffic is really falling under the Class-maps you defined.

for example

Ace/Context# show service-policy Vlan10-policy detail

Status : ACTIVE

Description: -

-----------------------------------------

Interface: vlan 10

service-policy: Vlan10-policy

class: VIP

VIP Address: Port:

10.10.10.10 eq 80

loadbalance:

L7 loadbalance policy: APP1-policy

VIP Route Metric : 77

VIP Route Advertise : DISABLED

VIP ICMP Reply : ENABLED

VIP State: INSERVICE

curr conns : 0 , hit count : 10

dropped conns : 1

client pkt count : 67 , client byte count: 14414

server pkt count : 81 , server byte count: 9545

L7 Loadbalance policy : APP1-policy

class/match : CLASS-A <-- No hits for this class

LB action :

serverfarm: serverfarm1

hit count : 0

dropped conns : 0

class/match : CLASS-B <--31 hits for this class

LB action :

serverfarm: serverfarm2

hit count : 31

dpetitpierre · ‎08-20-2008

You are right: "show service-policy" gives a very useful information.

Infortunately, if the classes are complex, it might become difficult to locate the pattern that did (or did not) match. e.g. when there are classes of classes and there is a typo somewhere in a pattern:

class-map type http loadbalance match-any virtual_host_class

2 match http header Host header-value "vhost(\.domain\.com){0,1}(:8[0_9]{1,3})?"

class-map type http loadbalance match-any path_class

2 match http url "/complexpattern1(/.*)?"

3 match http url "/complexpattern2(/.*)?"

class-map type http loadbalance match-all host_and_path_class

2 match class-map virtual_host_class

3 match class-map path_class

If traffic to http://vhost:8080/path1 fails to match it might be difficult to trace it to the pattern "[0_9]" that should be "[0-9]".

With just "show service-policy" one would have to isolate each "match" line: tedious.

Thanks again for your answers!

Best regards,

Dominique