04-12-2010 07:45 AM
currently we have 1 external IP that various customers use
they enter
example.com/customer1
example.com/customer2
and they get directed to rservers...here is the config
class-map match-all WEB-VIP
2 match virtual-address 172.20.100.131 tcp eq https
class WEB-VIP
loadbalance vip inservice
loadbalance policy WEB-POLICY
loadbalance vip icmp-reply active
policy-map type loadbalance first-match WEB-POLICY
class class-default
sticky-serverfarm WEB_cookie
action urlrewrite
class WEB-VIP
loadbalance vip inservice
loadbalance policy WEB-POLICY
loadbalance vip icmp-reply active
sticky http-cookie WEB_cookie WEB_cookie
cookie insert
replicate sticky
serverfarm WEB
serverfarm host WEB
rserver prdwccweb01 443
inservice
rserver prdwccweb02 443
probe probe_service_https
inservice
rserver host prdwccweb01
ip address 172.20.111.131
probe probe_service_icmp
inservice
rserver host prdwccweb02
ip address 172.20.111.132
probe probe_service_icmp
However, we are adding a new customer......example.com/customernew and we want them directed to a new serverfarm/rservers
how would i implement this without impacting current customers 1 and 2?
I cant add a new VIP since the external IP gets directly NAT'd to the vip 2 match virtual-address 172.20.100.131 tcp eq https
in the class map
04-13-2010 10:17 AM
Hello,
This can be done, though it will require some changes to the way you load balance your HTTPS connections. Right now, since all connections regardless of customer are load balanced to the same serverfarm, then you can simply load balance the HTTPS traffic at layer 4 without looking at the URL. However, since the new customer must be load balanced to the new serverfarm, you will need to have the ACE terminate the HTTPS connection, so it can decrypte the HTTP header and look at the URL so it can send the connection to the correct serverfarm. It can then re-encrypt the backend connection into HTTPS to the rserver. The config would look something like this. I've highlighted the new parts in blue.
rserver host prdwccweb01
ip address 172.20.111.131
probe probe_service_icmp
inservice
rserver host prdwccweb02
ip address 172.20.111.132
probe probe_service_icmp
inservice
rserver host NEW_SERVER_01
ip address 172.20.2.131
probe probe_service_icmp
inservice
rserver host NEW_SERVER_02
ip address 172.20.2.132
probe probe_service_icmp
inservice
ssl-proxy service SSL-SERVER
key server.key
cert server.cer
ssl-proxy service SSL-CLIENT
serverfarm host WEB
probe probe_service_https
rserver prdwccweb01 443
inservice
rserver prdwccweb02 443
inservice
serverfarm host WEB_2
probe probe_service_https
rserver NEW_SERVER_01 443
inservice
rserver NEW_SERVER_01 443
inservice
sticky http-cookie WEB_cookie WEB_cookie
cookie insert
replicate sticky
serverfarm WEB
sticky http-cookie WEB_cookie WEB_cookie_2
cookie insert
replicate sticky
serverfarm WEB_2
class-map match-all WEB-VIP
2 match virtual-address 172.20.100.131 tcp eq https
class-map type http loadbalance match-any CUSTOMER_NEW
2 match http url /customernew
policy-map type loadbalance first-match WEB-POLICY
class CUSTOMER_NEW
sticky-serverfarm WEB_cookie_2
action urlrewrite
ssl-proxy client SSL-CLIENT
class class-default
sticky-serverfarm WEB_cookie
action urlrewrite
ssl-proxy client SSL-CLIENT
policy-map multi-match WEB-POLICY
class WEB-VIP
loadbalance vip inservice
loadbalance policy WEB-POLICY
loadbalance vip icmp-reply active
ssl-proxy server SSL-SERVER
In the above config, the ACE will terminate SSL, and look for the /customernew URL. If it is there, it will send the connection to the new serverfarm. All other connections will be sent to the existing serverfarm. All connections between the clients and the ACE, and between the ACE and the rservers will be in HTTPS.
Hope this helps,
Sean
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: