topic Re: Advanced Loadbalancing Decisions in Application Networking

Advanced Loadbalancing Decisions

lou_young — Fri, 26 Sep 2008 17:08:52 GMT

I have some requirements from my app developers that are puzzling me. I'm not sure the ACE can do what I want, but with the flexibility of the policy and class maps I'm thinking there has to be a way.

I have a VIP that is used for two different server farms. If a user goes to the general URI http://mainwebserver.com they go to the main web serverfarm. However, if they go to http://mainwebserver.com/internal they will go to a different serverfarm.

I have this set up and working right now. Easy.

However, my application guys want to use the ACE enforce certain policies with regard to request METHODs and actions.

Example, if the user is doing a POST and they go to the mainwebserver.com URL with /internal/ and then /makechange in the URL, then they have to be using SSL. In other words, if they go to http://mainwebserver.com/internal/stuff/blah/makechange with the POST method and are coming via HTTP (as opposed to HTTPS), then I need to reject the call. If they aren't POSTing, or aren't going to /makechange, then it doesn't matter if they are using HTTP or HTTPS.

Can anyone come up with a way to accomplish this task?

Oh yeah, it's also not only /makechange, but also /getchanges combined with a POST method, that would require SSL.

Let me know if anyone needs further clarification. It looks like a fun puzzle, so have it.

Thanks!

Re: Advanced Loadbalancing Decisions

Syed Iftekhar Ahmed — Fri, 26 Sep 2008 17:53:07 GMT

With HTTP Inspection you can look for HTTP methods and Request urls and can reset the client conns if there is a match.

Something in lines with

class-map type http inspect match-all xyz

match request-method rfc post

match url

policy-map type inspect http all-match HTTP_INSPECT_L7POLICY

class xyz

reset

Syed

Re: Advanced Loadbalancing Decisions

lou_young — Fri, 26 Sep 2008 18:58:48 GMT

I was thinking that the way to go would be with an INSPECT policy. But I wasn't sure how to implement it. Assuming I have a service policy of:

policy-map multi-match PM-BasicVIPs

class CM-webserver

loadbalance vip inservice

loadbalance policy PM-L7-webserver

loadbalance vip icmp-reply

inspect http policy PM-L7-Inspect-webserver

Would the policy action on the inspect portion and reset the connection or will it action on the loadbalance portion and service the request?

Also, the policy PM-L7-webserver is the one analyzing the URI and pushing the user to one of two serverfarms. I don't think that'll matter since the inspect class is doing the same check in the URI.

Thoughts?

Re: Advanced Loadbalancing Decisions

Syed Iftekhar Ahmed — Fri, 26 Sep 2008 22:55:08 GMT

As per the ACE policy order Server Loadbalancing will happen first and then Inspection will take place.

Something like this should do

class-map type http inspect match-any BLOCK-HTTP

match request-method rfc post

match url

class match-all ALLOW-HTTP

match port tcp eq http

policy-map type inspect HTTP first-match PM-L7-Inspect-webserver

class BLOCK-HTTP

reset

class ALLOW-HTTP

permit

policy-map multi-match PM-BasicVIPs

class CM-webserver

loadbalance vip inservice

loadbalance policy PM-L7-webserver

loadbalance vip icmp-reply

inspect http policy PM-L7-Inspect-webserver

Try it in a test environment first.

Syed

Re: Advanced Loadbalancing Decisions

lou_young — Mon, 29 Sep 2008 19:40:24 GMT

I implemented this last Friday afternoon, and while it took some tweaking on the RegEx to get the URL match correct, it seems to be working to reset the connections for the various scenario's the app guys are throwing at me.

Thanks for your help!