04-05-2010 01:57 PM
I have a SSL load balance VIP/Class map which works fine.
The problem is that I have a developers of the web apps want to have a link in xml(tom cat app) to a map app(different port same box). It is is behind multiple firewalls and can't get permission to open more ports. So can I take the redirection in the web page to an serverfarm and keep it in the SSL connection.? I have open a ticket with Cisco, but they have been no help.
This my config with everthing cut out, but the redirect.
action-list type modify http HTTP2HTTPS-REWRITE
ssl url rewrite location ".*"
probe http WEB
interval 5
faildetect 2
passdetect interval 15
passdetect count 2
expect status 200 302
parameter-map type ssl SSL_PARAMETER_MAP
cipher RSA_WITH_3DES_EDE_CBC_SHA priority 8
cipher RSA_WITH_AES_128_CBC_SHA priority 9
cipher RSA_WITH_AES_256_CBC_SHA priority 10
parameter-map type connection TCP_IDLE_TIMEOUT
set timeout inactivity 2700
rserver host lnxsv1
description lnxsv1
ip address 1.1.1.230
inservice
ssl-proxy service SSL_SVC_WEB
key my.key.pem
cert my.cert.pem
serverfarm host SF_WEB_80
description SF_WEB_80 Server Farm
predictor leastconns
probe WEB
rserver lnxsv1 80
inservice
class-map match-all CM_WEB_443
2 match virtual-address 192.168.200.123 tcp eq https
class-map match-all CM_WEB_80
2 match virtual-address 192.168.200.23 tcp eq www
class-map type management match-any REMOTE_ACCESS
description Remote access traffic match
201 match protocol telnet any
202 match protocol ssh any
203 match protocol icmp any
204 match protocol http any
205 match protocol https any
206 match protocol snmp any
policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
class REMOTE_ACCESS
permit
policy-map type loadbalance first-match PM_WEB_80
class class-default
serverfarm SF_WEB_80
action HTTP2HTTPS-REWRITE
policy-map multi-match PM_MM_WEB
class CM_WEB_80
loadbalance vip inservice
loadbalance policy PM_WEB_80
loadbalance vip icmp-reply
nat dynamic 10 vlan 604
connection advanced-options TCP_IDLE_TIMEOUT
class CM_WEB_443
loadbalance vip inservice
loadbalance policy PM_WEB_80
loadbalance vip icmp-reply
nat dynamic 10 vlan 604
ssl-proxy server SSL_SVC_WEB
connection advanced-options TCP_IDLE_TIMEOUT
timeout xlate 60
interface vlan 604
description Client Side Connectivty
ip address 192.168.200.242 255.255.255.0
alias 192.168.200.8 255.255.255.0
peer ip address 192.168.200.243 255.255.255.0
no normalization
access-group input ALL
access-group output ALL
nat-pool 10 192.168.202.33 192.168.202.64 netmask 255.255.252.0
service-policy input REMOTE_MGMT_ALLOW_POLICY
service-policy input PM_MM_WEB
Solved! Go to Solution.
04-07-2010 01:38 AM
The problem is that http://xxxxxxx:7779 will tell the browser to open a different connection to xxxxxxxxx port 7779.
If I understand correctly, this is what you want to prevent because this would require the firewall to open a hole for port 7779.
ACE can't modify the server response.
There is no other solution than to rewrite those links on the servers and remove port 7779.
On the ACE you can then catch the link (without port 7779) when the request comes in, and identify that this connection needs to be sent to port 7779.
That is possible.
You just need a class-map type loadbalance HTTP and a match url regex.
Then under your policy type loadbalance, instead of a simple class-default, you have your match url class sending traffic to a serverfarm using port 7779 and for the rest you use a serverfarm with port 80.
Gilles.
04-06-2010 03:40 AM
The backend and the frontend are separated.
So, you can receive a request in SSL (frontend) and send it to a server in cleartext on the backend.
You can go to different servers, different ports.
All you need to do is catch the request in a class-map type http loadbalance ...
But, you can't change the URL inside the request.
So, without more details about what you need exactly, we can't give you more info.
Gilles.
04-06-2010 05:09 AM
So what the developers want is:
Client Web Browser --> Firewall --> Firewall -->router ACL -->Firewall ---> ACE VIP with SSL termination-------> Load Balanced to port 80 in the serverfarm.
Works great.
Now they would like to add a link on the web page that is being load balanced. The like is just another port on the same servers. Let say :7779
So the developer has a link that reads:
var baseURL = http://sameserver:7779/mapviewer
Can I :
Client Web Browser -> Firewall -> Firewall ->router ACL ->Firewall -> ACE VIP with SSL termination-> Read the request send to:
->Load Balanced to port 80 in the serverfarm
->If it equals: http://sameserver:7779/mapviewer
04-07-2010 01:38 AM
The problem is that http://xxxxxxx:7779 will tell the browser to open a different connection to xxxxxxxxx port 7779.
If I understand correctly, this is what you want to prevent because this would require the firewall to open a hole for port 7779.
ACE can't modify the server response.
There is no other solution than to rewrite those links on the servers and remove port 7779.
On the ACE you can then catch the link (without port 7779) when the request comes in, and identify that this connection needs to be sent to port 7779.
That is possible.
You just need a class-map type loadbalance HTTP and a match url regex.
Then under your policy type loadbalance, instead of a simple class-default, you have your match url class sending traffic to a serverfarm using port 7779 and for the rest you use a serverfarm with port 80.
Gilles.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: