Solved: HTTP URL Load Balancing Configuration

tsakoulias · ‎07-09-2010

Hi,

We have an ACE 4710 and we need to configure it for HTTP URL Load Balancing between two server farms.

For example we need url (https://www.test.com) to load balance to Server Farm 1 and another url (https://www.test.com/test1) to load

balance to Server Farm 2.

Can you give me an example of the match statements that needs to be configured?

class-map type http load balance match-all SF1

match http url http://www.test.com

class-map type http load balance match-all SF2

match http url http://www.test.com/test1

Are these statements correct?

Thanks in advance,

Theofilos Sakoulias

david.stout · ‎07-09-2010

Yes you have to modify the header for the site you are using.

Also the ACE is terminating the HTTPS session between the client and ACE. When it sends traffic to the servers it will be HTTP and therefore the solution I gave you would be fine as the SSL Termination happens before the Layer 7 class-maps are checked and applied.

Something like....

match layer 4 class-map for HTTPS traffic and IP address

terminate SSL connection

go to policy-map

check layer 7 class-map statement for a first-match

loadbalance to serverfarm when match is found

I would also recommend using SSL-rewrite to handle any HTTP 30x codes that may be generated by the website. Just to be sure.

Dave.

View solution in original post

david.stout · ‎07-09-2010

I would do it this way.

class-map type http loadbalance match-all SF1
2 match http header Host header-value "www.test.com"

class-map type http loadbalance match-all SF2
2 match http header Host header-value "www.test.com"
3 match http url /test1

policy-map type loadbalance first-match Loadbalance-pm
class SF2
    serverfarm ServerFarm2
class SF1
    serverfarm ServerFarm1
class class-default
    serverfarm DefaultServerFarm

Just remember to have the most specific rule first in the policy-map and use match-all statements. If you put the SF1 class first then anything else under it will not be processed.

Regards,

Dave.

tsakoulias · ‎07-09-2010

Hi David,

Is there any difference if i use https instead of http?

I have already configured ssl proxy service under the policy map type load balance.

Furthermore, do we need to use urlrewrite?

Below you can find our current config :

switch/Admin# sh run
Generating configuration....

resource-class Sticky
limit-resource all minimum 0.00 maximum unlimited
limit-resource sticky minimum 10.00 maximum equal-to-min

boot system image:c4710ace-mz.A3_2_5.bin

interface gigabitEthernet 1/1
description Management
switchport access vlan 1000
no shutdown
interface gigabitEthernet 1/2
description Servers
switchport access vlan 990
no shutdown
interface gigabitEthernet 1/3
description Clients
switchport access vlan 991
no shutdown
interface gigabitEthernet 1/4
description FT Port
ft-port vlan 999
no shutdown

crypto chaingroup Chain_Group_2010
cert CERT
cert Intermediate
context Admin
member Sticky

access-list ALL line 8 extended permit ip any any
access-list ALL line 9 extended permit icmp any any

probe http HTTP_Probe
description HTTP_Probe
port 8080
interval 15
passdetect interval 60
request method get url \
expect status 0 999
open 1
probe icmp ICMP_Probe
description ICMP_Probe
interval 15
passdetect interval 60

rserver host Serv3
description Serv3
ip address 172.16.3.113
probe ICMP_Probe
probe HTTP_Probe
inservice
rserver host Serv4
description Serv4
ip address 172.16.3.114
probe ICMP_Probe
probe HTTP_Probe
inservice
rserver host Serv7
description Serv7
ip address 172.16.3.117
probe ICMP_Probe
probe HTTP_Probe
inservice

action-list type modify http urlrewrite
ssl url rewrite location "my\.test\.com.*"

serverfarm host Server_Farm_Pilot
description Server_Farm_Pilot
failaction purge
rserver Serv3 8080
    probe ICMP_Probe
    probe HTTP_Probe
    inservice
rserver Serv4 8080
    probe ICMP_Probe
    probe HTTP_Probe
    inservice
serverfarm host Server_Farm_2
description Server_Farm_2
failaction purge
probe HTTP_Probe
probe ICMP_Probe
rserver Serv7 8080
    probe ICMP_Probe
    probe HTTP_Probe
    inservice

ssl-proxy service Proxy_Service_2010
key KEY
cert CERT
chaingroup Chain_Group_2010

sticky http-cookie COOKIE Sticky_Group
replicate sticky
serverfarm Server_Farm_Pilot

class-map match-all VIP_HTTP
2 match virtual-address 172.16.1.210 tcp eq www
class-map match-all Virtual_Server_Pilot
2 match virtual-address 172.16.1.210 tcp eq https
class-map type management match-any remote_access
201 match protocol xml-https any
202 match protocol icmp any
203 match protocol telnet any
204 match protocol ssh any
205 match protocol http any
206 match protocol https any
207 match protocol snmp any

policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit

policy-map type loadbalance first-match VIP_HTTP-l7slb
class class-default
    sticky-serverfarm Sticky_Group
policy-map type loadbalance first-match Virtual_Server_Pilot-l7slb
class class-default
    sticky-serverfarm Sticky_Group
    action urlrewrite

policy-map multi-match int991
class Virtual_Server_Pilot
    loadbalance vip inservice
    loadbalance policy Virtual_Server_Pilot-l7slb
    loadbalance vip icmp-reply
    ssl-proxy server Proxy_Service_2010
class VIP_HTTP
    loadbalance vip inservice
    loadbalance policy VIP_HTTP-l7slb

interface vlan 990
description Servers
ip address 172.16.3.201 255.255.255.0
alias 172.16.3.203 255.255.255.0
peer ip address 172.16.3.202 255.255.255.0
access-group input ALL
service-policy input remote_mgmt_allow_policy
no shutdown
interface vlan 991
description Clients
ip address 172.16.1.201 255.255.255.0
alias 172.16.1.203 255.255.255.0
peer ip address 172.16.1.202 255.255.255.0
access-group input ALL
service-policy input remote_mgmt_allow_policy
service-policy input int991
no shutdown
interface vlan 1000
description Management
ip address 10.10.10.201 255.255.255.0
alias 10.10.10.203 255.255.255.0
peer ip address 10.10.10.202 255.255.255.0
access-group input ALL
service-policy input remote_mgmt_allow_policy
no shutdown

ft interface vlan 999
ip address 1.1.1.1 255.255.255.0
peer ip address 1.1.1.2 255.255.255.0
no shutdown

ft peer 1
heartbeat interval 300
heartbeat count 10
ft-interface vlan 999
ft group 1
peer 1
priority 110
associate-context Admin
inservice

ft track host TRACK_HOST1
track-host 172.16.3.113
probe ICMP_Probe priority 20
ft track interface Track_Clients
track-interface vlan 991
peer track-interface vlan 991
priority 20
ft track interface Track_Servers
track-interface vlan 990
peer track-interface vlan 990
priority 20

ip route 0.0.0.0 0.0.0.0 172.16.1.121

switch/Admin#

The difference is that our url is https://www.my.test.com. So according to your solution the header value should be modified to "www.my.test.com"?

Thanks

david.stout · ‎07-09-2010

Yes you have to modify the header for the site you are using.

Also the ACE is terminating the HTTPS session between the client and ACE. When it sends traffic to the servers it will be HTTP and therefore the solution I gave you would be fine as the SSL Termination happens before the Layer 7 class-maps are checked and applied.

Something like....

match layer 4 class-map for HTTPS traffic and IP address

terminate SSL connection

go to policy-map

check layer 7 class-map statement for a first-match

loadbalance to serverfarm when match is found

I would also recommend using SSL-rewrite to handle any HTTP 30x codes that may be generated by the website. Just to be sure.

Dave.

tsakoulias · ‎07-15-2010

Hi David,

I did the following :

class-map type http loadbalance match-all ClientA
2 match http header Host header-value "my.domain.com"
3 match http url /ClientA
class-map type http loadbalance match-all Main_Domain
2 match http header Host header-value "my.domain.com"
class-map type http loadbalance match-all ClientB
2 match http header Host header-value "my.domain.com"
3 match http url /ClientB

policy-map type loadbalance first-match VIP_HTTP-l7slb
class ClientA
    sticky-serverfarm Sticky_ClientA
class ClientB
    sticky-serverfarm Sticky_ClientB
class Main_Domain
    sticky-serverfarm Sticky_Main_Domain

When i test the above config, i don't get the desired functionallity. All the connections (to http://mydomain.com, http://mydomain.com/ClientA and http://mydomain.com/ClientB) are load balanced to serverfarm Sticky_Main_Domain. When i remove the Main_Domain class map all the connections are droped, which indicates that no connection requests are matched to class maps ClientA and ClientB.

Any help would be appreciated

Thanks

tsakoulias · ‎07-16-2010

I found the solution.

The final config should be like this one :

class-map type http loadbalance match-all ClientA
2 match http header Host header-value "my.domain.com"
3 match http url /ClientA/.*
class-map type http loadbalance match-all Main_Domain
2 match http header Host header-value "my.domain.com"
class-map type http loadbalance match-all ClientB
2 match http header Host header-value "my.domain.com"
3 match http url /ClientB/.*

policy-map type loadbalance first-match VIP_HTTP-l7slb
class ClientA
    sticky-serverfarm Sticky_ClientA
class ClientB
    sticky-serverfarm Sticky_ClientB
class Main_Domain
    sticky-serverfarm Sticky_Main_Domain

Watch the regular expressions in red !!!!!

Thank you all for your help.