Solved: CSM:Drop connection when wrong http header

mruuth · ‎02-24-2010

Hi All,

My securitypeople want me to drop connections if a http header , like PISA_ID is coming from a client. I don´t need to look into the header, just drop connection if the header is there. Any suggestion to solve this will be welcome. I am running version 4.2.7

Regards

Mats

Sean Merrow · ‎02-25-2010

Hello Mats,

Sorry for that. I overlooked something in the documentation. The policy has to have a serverfarm associated with it. So if you create a dummy serverfarm with some IP address that the CSM cannot reach, it should start working as expected. See my modified example below:

!
map DROP-PISA_ROLE header
match protocol http header ROLE header-value *
!
serverfarm DUMMY
nat server
no nat client
real 1.1.1.1
   inservice
!
serverfarm WEB
nat server
nat client NAT
real 10.10.10.211
   inservice
real 10.10.10.212
   inservice
probe TCP
!
policy DROP-PISA_ROLE
header-map DROP-PISA_ROLE
serverfarm DUMMY
!
vserver WEB
virtual 192.168.180.91 tcp www
serverfarm WEB
persistent rebalance
slb-policy DROP-PISA_ROLE
domain test.drop.header
inservice
!

Let me know if this does the trick for you.

Sean

View solution in original post

Sean Merrow · ‎02-24-2010

Hello Mats,

The CSM can do this. You would need to configure a map to look for the header, then call out that map in a policy. If a policy does not have a serverfarm associated with it, it will not load balance the connection. In my example below, connections with the PISA_ID header will not be load balanced, but connections without it will be load balanced to the default serverfarm specified under the vserver.

!
map DROP-PISA_ID header
match protocol http header PISA_ID header-value *
!
serverfarm WEB-SERVERS
nat server
no nat client
real 10.20.5.66
   inservice
real 10.20.5.67
   inservice
probe HTTP
!
policy DROP-HEADERS
header-map DROP-PISA_ID
!
vserver WEBSITE
virtual 10.253.15.100 tcp www
persistent rebalance
slb-policy DROP-HEADERS
serverfarm WEB-SERVERS
inservice
!

You should check out the documentation on maps, policies, and header parsing for more details.

Hope this helps,

Sean

mruuth · ‎02-24-2010

smerrow (2010-02-24 15:41):

mruuth,

A new message was posted in the Discussion thread "CSM:Drop connection when

wrong http header":

https://supportforums.cisco.com/message/3024592#3024592

Author : Sean Merrow

Profile : https://supportforums.cisco.com/people/smerrow

Hello Sean,

Thankyou for your fast reply. Your "parameter header-value *" solved my problem,

because I just want to check the header and not the content. I shall now

implement and test.

Regards¨

Mats

Message:

mruuth · ‎02-25-2010

Hello Sean,

I have tested but it does not work. I see with sniffer that the header is there, but no hit. Have tested with value AS and AS*

Any suggestions

Regards

Mats

map DROP-PISA_ROLE header
match protocol http header ROLE header-value *

policy DROP-PISA_ROLE
header-map DROP-PISA_ROLE

vserver V180091
virtual 192.168.180.91 tcp www
slb-policy DROP-PISA_ROLE
serverfarm SFT780-21
persistent rebalance
domain test.drop.header
inservice

CR10#vserver v180091 det
V180091, type = SLB, state = OPERATIONAL, v_index = 465
virtual = 192.168.180.91/32:80 bidir, TCP, service = NONE, advertise = FALSE
idle = 3600, replicate csrp = none, vlan = ALL, pending = 30, layer 4
max parse len = 2000, persist rebalance = TRUE
ssl sticky offset = 0, length = 32
conns = 0, total conns = 9
Domains:
    test.drop.header
Default policy:
    server farm = SFT780-21, backup =
    sticky: timer = 0, subnet = 0.0.0.0, group id = 0
Policy          Tot matches Client pkts Server pkts
-----------------------------------------------------
DROP-PISA_ROLE 0            5            6
(default)       9            161          237

Sean Merrow · ‎02-25-2010

Hello Mats,

Sorry for that. I overlooked something in the documentation. The policy has to have a serverfarm associated with it. So if you create a dummy serverfarm with some IP address that the CSM cannot reach, it should start working as expected. See my modified example below:

!
map DROP-PISA_ROLE header
match protocol http header ROLE header-value *
!
serverfarm DUMMY
nat server
no nat client
real 1.1.1.1
   inservice
!
serverfarm WEB
nat server
nat client NAT
real 10.10.10.211
   inservice
real 10.10.10.212
   inservice
probe TCP
!
policy DROP-PISA_ROLE
header-map DROP-PISA_ROLE
serverfarm DUMMY
!
vserver WEB
virtual 192.168.180.91 tcp www
serverfarm WEB
persistent rebalance
slb-policy DROP-PISA_ROLE
domain test.drop.header
inservice
!

Let me know if this does the trick for you.

Sean

mruuth · ‎02-25-2010

Hello Sean,

It did the trick.Great help from you.

Many thanks

Mats

Message was edited by: mruuth Besides, how do I put in rating?