Advanced Loadbalancing Decisions

Answered Question

I have some requirements from my app developers that are puzzling me. I'm not sure the ACE can do what I want, but with the flexibility of the policy and class maps I'm thinking there has to be a way.

I have a VIP that is used for two different server farms. If a user goes to the general URI http://mainwebserver.com they go to the main web serverfarm. However, if they go to http://mainwebserver.com/internal they will go to a different serverfarm.

I have this set up and working right now. Easy.

However, my application guys want to use the ACE enforce certain policies with regard to request METHODs and actions.

Example, if the user is doing a POST and they go to the mainwebserver.com URL with /internal/ and then /makechange in the URL, then they have to be using SSL. In other words, if they go to http://mainwebserver.com/internal/stuff/blah/makechange with the POST method and are coming via HTTP (as opposed to HTTPS), then I need to reject the call. If they aren't POSTing, or aren't going to /makechange, then it doesn't matter if they are using HTTP or HTTPS.

Can anyone come up with a way to accomplish this task?

Oh yeah, it's also not only /makechange, but also /getchanges combined with a POST method, that would require SSL.

Let me know if anyone needs further clarification. It looks like a fun puzzle, so have it.

Thanks!

I have this problem too.
0 votes
Correct Answer by Syed Iftekhar Ahmed about 8 years 2 months ago

As per the ACE policy order Server Loadbalancing will happen first and then Inspection will take place.

Something like this should do

class-map type http inspect match-any BLOCK-HTTP

match request-method rfc post

match url

class match-all ALLOW-HTTP

match port tcp eq http

policy-map type inspect HTTP first-match PM-L7-Inspect-webserver

class BLOCK-HTTP

reset

class ALLOW-HTTP

permit

policy-map multi-match PM-BasicVIPs

class CM-webserver

loadbalance vip inservice

loadbalance policy PM-L7-webserver

loadbalance vip icmp-reply

inspect http policy PM-L7-Inspect-webserver

Try it in a test environment first.

Syed

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Syed Iftekhar Ahmed Fri, 09/26/2008 - 10:53

With HTTP Inspection you can look for HTTP methods and Request urls and can reset the client conns if there is a match.

Something in lines with

class-map type http inspect match-all xyz

match request-method rfc post

match url

policy-map type inspect http all-match HTTP_INSPECT_L7POLICY

class xyz

reset

Syed

I was thinking that the way to go would be with an INSPECT policy. But I wasn't sure how to implement it. Assuming I have a service policy of:

policy-map multi-match PM-BasicVIPs

class CM-webserver

loadbalance vip inservice

loadbalance policy PM-L7-webserver

loadbalance vip icmp-reply

inspect http policy PM-L7-Inspect-webserver

Would the policy action on the inspect portion and reset the connection or will it action on the loadbalance portion and service the request?

Also, the policy PM-L7-webserver is the one analyzing the URI and pushing the user to one of two serverfarms. I don't think that'll matter since the inspect class is doing the same check in the URI.

Thoughts?

Correct Answer
Syed Iftekhar Ahmed Fri, 09/26/2008 - 15:55

As per the ACE policy order Server Loadbalancing will happen first and then Inspection will take place.

Something like this should do

class-map type http inspect match-any BLOCK-HTTP

match request-method rfc post

match url

class match-all ALLOW-HTTP

match port tcp eq http

policy-map type inspect HTTP first-match PM-L7-Inspect-webserver

class BLOCK-HTTP

reset

class ALLOW-HTTP

permit

policy-map multi-match PM-BasicVIPs

class CM-webserver

loadbalance vip inservice

loadbalance policy PM-L7-webserver

loadbalance vip icmp-reply

inspect http policy PM-L7-Inspect-webserver

Try it in a test environment first.

Syed

Actions

This Discussion