Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

CSM:Drop connection when wrong http header

Hi All,

My securitypeople want me to drop connections if a http header , like PISA_ID is coming from a client. I don´t need to look into the header, just drop connection if the header is there. Any suggestion to solve this will be welcome. I am running version 4.2.7

Regards

Mats

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: CSM:Drop connection when wrong http header

Hello Mats,

Sorry for that.  I overlooked something in the documentation.  The policy has to have a serverfarm associated with it.  So if you create a dummy serverfarm with some IP address that the CSM cannot reach, it should start working as expected.  See my modified example below:

!
map DROP-PISA_ROLE header
  match protocol http header ROLE header-value *
!
serverfarm DUMMY
  nat server
  no nat client
  real 1.1.1.1
   inservice

!
serverfarm WEB
  nat server
  nat client NAT
  real 10.10.10.211
   inservice
  real 10.10.10.212
   inservice
  probe TCP
!
policy DROP-PISA_ROLE
  header-map DROP-PISA_ROLE
  serverfarm DUMMY
!
vserver WEB
  virtual 192.168.180.91 tcp www
  serverfarm WEB
  persistent rebalance
  slb-policy DROP-PISA_ROLE
  domain test.drop.header
  inservice
!

Let me know if this does the trick for you.

Sean

5 REPLIES
Silver

Re: CSM:Drop connection when wrong http header

Hello Mats,

The CSM can do this.  You would need to configure a map to look for the header, then call out that map in a policy.  If a policy does not have a serverfarm associated with it, it will not load balance the connection.  In my example below, connections with the PISA_ID header will not be load balanced, but connections without it will be load balanced to the default serverfarm specified under the vserver.

!
map DROP-PISA_ID header
  match protocol http header PISA_ID header-value *
!
serverfarm WEB-SERVERS
  nat server
  no nat client
  real 10.20.5.66
   inservice
  real 10.20.5.67
   inservice
  probe HTTP
!
policy DROP-HEADERS
  header-map DROP-PISA_ID
!        
vserver WEBSITE
  virtual 10.253.15.100 tcp www
  persistent rebalance
  slb-policy DROP-HEADERS
  serverfarm WEB-SERVERS
  inservice
!

You should check out the documentation on maps, policies, and header parsing for more details.

Hope this helps,

Sean

New Member

Re: CSM:Drop connection when wrong http header

smerrow (2010-02-24 15:41):

mruuth,

A new message was posted in the Discussion thread "CSM:Drop connection when

wrong http header":

https://supportforums.cisco.com/message/3024592#3024592

Author : Sean Merrow

Profile : https://supportforums.cisco.com/people/smerrow

Hello Sean,

Thankyou for your fast reply. Your "parameter header-value *" solved my problem,

because I just want to check the header and not the content. I shall now

implement and test.

Regards¨

Mats

Message:

New Member

Re: CSM:Drop connection when wrong http header

Hello Sean,

I have tested but it does not work. I see with sniffer that the header is there, but no hit. Have tested with value AS and AS*

Any suggestions

Regards

Mats

map DROP-PISA_ROLE header                                 
match protocol http header ROLE header-value *

policy DROP-PISA_ROLE
header-map DROP-PISA_ROLE
  
vserver V180091                
virtual 192.168.180.91 tcp www
slb-policy DROP-PISA_ROLE
serverfarm SFT780-21          
persistent rebalance          
domain test.drop.header       
inservice

CR10#vserver v180091 det                                                      
V180091, type = SLB, state = OPERATIONAL, v_index = 465                       
  virtual = 192.168.180.91/32:80 bidir, TCP, service = NONE, advertise = FALSE
  idle = 3600, replicate csrp = none, vlan = ALL, pending = 30, layer 4       
  max parse len = 2000, persist rebalance = TRUE                              
  ssl sticky offset = 0, length = 32                                          
  conns = 0, total conns = 9                                                  
  Domains:                                                                    
    test.drop.header                                                          
  Default policy:                                                             
    server farm = SFT780-21, backup =                           
    sticky: timer = 0, subnet = 0.0.0.0, group id = 0                         
  Policy          Tot matches  Client pkts  Server pkts                       
  -----------------------------------------------------                       
  DROP-PISA_ROLE  0            5            6                                 
  (default)       9            161          237                              

Silver

Re: CSM:Drop connection when wrong http header

Hello Mats,

Sorry for that.  I overlooked something in the documentation.  The policy has to have a serverfarm associated with it.  So if you create a dummy serverfarm with some IP address that the CSM cannot reach, it should start working as expected.  See my modified example below:

!
map DROP-PISA_ROLE header
  match protocol http header ROLE header-value *
!
serverfarm DUMMY
  nat server
  no nat client
  real 1.1.1.1
   inservice

!
serverfarm WEB
  nat server
  nat client NAT
  real 10.10.10.211
   inservice
  real 10.10.10.212
   inservice
  probe TCP
!
policy DROP-PISA_ROLE
  header-map DROP-PISA_ROLE
  serverfarm DUMMY
!
vserver WEB
  virtual 192.168.180.91 tcp www
  serverfarm WEB
  persistent rebalance
  slb-policy DROP-PISA_ROLE
  domain test.drop.header
  inservice
!

Let me know if this does the trick for you.

Sean

New Member

Re: CSM:Drop connection when wrong http header

Hello Sean,

It did the trick.Great help from you.

Many thanks

Mats

Message was edited by: mruuth Besides, how do I put in rating?

688
Views
0
Helpful
5
Replies
CreatePlease to create content