cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
336
Views
0
Helpful
1
Replies

Redirecting url from same VIP to diff rservers

nygenxny123
Level 1
Level 1

currently we have 1 external IP that various customers use

they enter

example.com/customer1

example.com/customer2

and they get directed to rservers...here is the config

class-map match-all WEB-VIP
  2 match virtual-address 172.20.100.131 tcp eq https


class WEB-VIP
    loadbalance vip inservice
    loadbalance policy WEB-POLICY
    loadbalance vip icmp-reply active


policy-map type loadbalance first-match WEB-POLICY
  class class-default
    sticky-serverfarm WEB_cookie
    action urlrewrite


class WEB-VIP
    loadbalance vip inservice
    loadbalance policy WEB-POLICY
    loadbalance vip icmp-reply active


sticky http-cookie WEB_cookie WEB_cookie
  cookie insert
  replicate sticky
  serverfarm WEB

serverfarm host WEB
rserver prdwccweb01 443
    inservice
  rserver prdwccweb02 443
    probe probe_service_https
    inservice

rserver host prdwccweb01
  ip address 172.20.111.131
  probe probe_service_icmp
  inservice
rserver host prdwccweb02
  ip address 172.20.111.132
  probe probe_service_icmp

However, we are adding a new customer......example.com/customernew and we want them directed to a new serverfarm/rservers

how would i implement this without impacting current customers 1 and 2?

I cant add a new VIP since the external IP gets directly NAT'd to the vip   2 match virtual-address 172.20.100.131 tcp eq https

in the class map

1 Reply 1

Sean Merrow
Level 4
Level 4

Hello,

This can be done, though it will require some changes to the way you load balance your HTTPS connections.  Right now, since all connections regardless of customer are load balanced to the same serverfarm, then you can simply load balance the HTTPS traffic at layer 4 without looking at the URL.  However, since the new customer must be load balanced to the new serverfarm, you will need to have the ACE terminate the HTTPS connection, so it can decrypte the HTTP header and look at the URL so it can send the connection to the correct serverfarm.  It can then re-encrypt the backend connection into HTTPS to the rserver.  The config would look something like this.  I've highlighted the new parts in blue.


rserver host prdwccweb01
  ip address 172.20.111.131
  probe probe_service_icmp
  inservice
rserver host prdwccweb02
  ip address 172.20.111.132
  probe probe_service_icmp
  inservice

rserver host NEW_SERVER_01
  ip address 172.20.2.131
  probe probe_service_icmp
  inservice
rserver host NEW_SERVER_02
  ip address 172.20.2.132
  probe probe_service_icmp
  inservice

ssl-proxy service SSL-SERVER
  key server.key
  cert server.cer

ssl-proxy service SSL-CLIENT

serverfarm host WEB
  probe probe_service_https
  rserver prdwccweb01 443
    inservice
  rserver prdwccweb02 443
    inservice

serverfarm host WEB_2
  probe probe_service_https
  rserver NEW_SERVER_01 443
    inservice
  rserver NEW_SERVER_01 443
    inservice

sticky http-cookie WEB_cookie WEB_cookie
  cookie insert
  replicate sticky
  serverfarm WEB

sticky http-cookie WEB_cookie WEB_cookie_2
  cookie insert
  replicate sticky
  serverfarm WEB_2


class-map match-all WEB-VIP
  2 match virtual-address 172.20.100.131 tcp eq https

class-map type http loadbalance match-any CUSTOMER_NEW
  2 match http url /customernew


policy-map type loadbalance first-match WEB-POLICY
  class CUSTOMER_NEW
    sticky-serverfarm WEB_cookie_2
    action urlrewrite
    ssl-proxy client SSL-CLIENT

  class class-default
    sticky-serverfarm WEB_cookie
    action urlrewrite
   ssl-proxy client SSL-CLIENT


policy-map multi-match WEB-POLICY
  class WEB-VIP
    loadbalance vip inservice
    loadbalance policy WEB-POLICY
    loadbalance vip icmp-reply active
   ssl-proxy server SSL-SERVER

In the above config, the ACE will terminate SSL, and look for the /customernew URL.  If it is there, it will send the connection to the new serverfarm.  All other connections will be sent to the existing serverfarm.  All connections between the clients and the ACE, and between the ACE and the rservers will be in HTTPS.

Hope this helps,

Sean


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: