Advanced Loadbalancing Decisions

Answered Question
Sep 26th, 2008
User Badges:

I have some requirements from my app developers that are puzzling me. I'm not sure the ACE can do what I want, but with the flexibility of the policy and class maps I'm thinking there has to be a way.


I have a VIP that is used for two different server farms. If a user goes to the general URI http://mainwebserver.com they go to the main web serverfarm. However, if they go to http://mainwebserver.com/internal they will go to a different serverfarm.


I have this set up and working right now. Easy.


However, my application guys want to use the ACE enforce certain policies with regard to request METHODs and actions.


Example, if the user is doing a POST and they go to the mainwebserver.com URL with /internal/ and then /makechange in the URL, then they have to be using SSL. In other words, if they go to http://mainwebserver.com/internal/stuff/blah/makechange with the POST method and are coming via HTTP (as opposed to HTTPS), then I need to reject the call. If they aren't POSTing, or aren't going to /makechange, then it doesn't matter if they are using HTTP or HTTPS.


Can anyone come up with a way to accomplish this task?


Oh yeah, it's also not only /makechange, but also /getchanges combined with a POST method, that would require SSL.


Let me know if anyone needs further clarification. It looks like a fun puzzle, so have it.


Thanks!

Correct Answer by Syed Iftekhar Ahmed about 8 years 9 months ago

As per the ACE policy order Server Loadbalancing will happen first and then Inspection will take place.


Something like this should do


class-map type http inspect match-any BLOCK-HTTP

match request-method rfc post

match url


class match-all ALLOW-HTTP

match port tcp eq http



policy-map type inspect HTTP first-match PM-L7-Inspect-webserver

class BLOCK-HTTP

reset

class ALLOW-HTTP

permit


policy-map multi-match PM-BasicVIPs

class CM-webserver

loadbalance vip inservice

loadbalance policy PM-L7-webserver

loadbalance vip icmp-reply

inspect http policy PM-L7-Inspect-webserver



Try it in a test environment first.


Syed

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Syed Iftekhar Ahmed Fri, 09/26/2008 - 10:53
User Badges:
  • Blue, 1500 points or more

With HTTP Inspection you can look for HTTP methods and Request urls and can reset the client conns if there is a match.


Something in lines with



class-map type http inspect match-all xyz

match request-method rfc post

match url



policy-map type inspect http all-match HTTP_INSPECT_L7POLICY

class xyz

reset




Syed






lou_young@choic... Fri, 09/26/2008 - 11:58
User Badges:

I was thinking that the way to go would be with an INSPECT policy. But I wasn't sure how to implement it. Assuming I have a service policy of:


policy-map multi-match PM-BasicVIPs

class CM-webserver

loadbalance vip inservice

loadbalance policy PM-L7-webserver

loadbalance vip icmp-reply

inspect http policy PM-L7-Inspect-webserver


Would the policy action on the inspect portion and reset the connection or will it action on the loadbalance portion and service the request?


Also, the policy PM-L7-webserver is the one analyzing the URI and pushing the user to one of two serverfarms. I don't think that'll matter since the inspect class is doing the same check in the URI.


Thoughts?



Correct Answer
Syed Iftekhar Ahmed Fri, 09/26/2008 - 15:55
User Badges:
  • Blue, 1500 points or more

As per the ACE policy order Server Loadbalancing will happen first and then Inspection will take place.


Something like this should do


class-map type http inspect match-any BLOCK-HTTP

match request-method rfc post

match url


class match-all ALLOW-HTTP

match port tcp eq http



policy-map type inspect HTTP first-match PM-L7-Inspect-webserver

class BLOCK-HTTP

reset

class ALLOW-HTTP

permit


policy-map multi-match PM-BasicVIPs

class CM-webserver

loadbalance vip inservice

loadbalance policy PM-L7-webserver

loadbalance vip icmp-reply

inspect http policy PM-L7-Inspect-webserver



Try it in a test environment first.


Syed

lou_young@choic... Mon, 09/29/2008 - 12:40
User Badges:

I implemented this last Friday afternoon, and while it took some tweaking on the RegEx to get the URL match correct, it seems to be working to reset the connections for the various scenario's the app guys are throwing at me.


Thanks for your help!

Actions

This Discussion