Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

HTTP and HTTPS on identical TCP port

Hi Experts,

   I am facing the following problem (some sort of proxy loadbalancing). The ACE should make forward decision based on the following logic:

if scheme==https

{

   use serverpool A

}

else

{ if host in url_list

  {

     use serverpool B

  }

  else

  {

     use serverpool C

  }

}

Well, the problem is, that all traffic arrives on the VIP the same TCP port 8080.

I was thinking if HTTP and HTTPS could be distinguished based on the layer-4-payload first characters (GET or POST), suspecting anything else as HTTPS. This can be carried out in GENERIC type of class-maps.

The next step is the url_list matching, which could be don in type HTTP class-maps. (url_list consists approx. of 20 lines)

The problem what I see, that I cannot nest two different L7 class-map types.

Could that work if I use only generic type class-maps and trying to match the URLs within the HTTP header with layer-4-payload regexp? How long reads the ace, starting from the offset for regexp matching int the L4 payload? (

Does someone has any idea?

Thanks, and regards:

jonagy

2 REPLIES
New Member

HTTP and HTTPS on identical TCP port

The generic class-map way doesn't work:

class-map type generic match-any CLASS7-HTTP

  10 match layer4-payload regex GET

  20 match layer4-payload regex POST

class-map type generic match-any CLASS7-URL

  10 match layer4-payload regex cisco[.]com

  20 match layer4-payload regex google[.]com

class-map type generic match-all CLASS7-HTTP+URL

  10 match class-map CLASS7-HTTP

  20 match class-map CLASS7-URL

results in:

Error: Multiple match layer4-payload cmds are invalid for match-all class-map

as it is written in the guide as well.

Any idea?

regards:

jonagy

Bronze

HTTP and HTTPS on identical TCP port

Hi Jonagy,

It can be done but a little bit different as you presented:

- If HTTP then use pool A

- If HTTPS or "else" use pool B

You can do something like:

class-map match-any cc

  2 match virtual-address 10.10.10.10 eq any

class-map type http loadbalance match-any HTTP

  match http url .*

policy-map type loadbalance first-match Proxy

  class HTTP

    serverfarm HTTP

  class class-default

    serverfarm HTTPS

This should match any HTTP request with any URL where .* is a wildcard, when the ACE can't read L5 payload because of HTTPS encryption then it would be sent to the class-default.

HTH

__ __

Pablo

532
Views
0
Helpful
2
Replies
CreatePlease login to create content