05-28-2004 09:26 AM
Hi,
Is it possible to configure the CSM to accept http and https on the same serverfarm ?
We host a website that automatically change to an https site.
I tried to configure the CSM , but only http or https is working, but not both the same time.
Is there someone with some tips for me ?
Kind regards
Solved! Go to Solution.
06-02-2004 07:09 AM
Hi Edwin,
no problem at all:
this does a per client IP-stickiness.with a timeout of 20 minutes.
Kind Regards,
Joerg Foerster
05-30-2004 12:12 PM
the serverfarm can be used with different server.
Your problem could be the switch from http to https.
You need to guarantee stickyness with sticky source ip for example.
Give us your vserver and serverfarm config if you still need help.
Gilles.
05-31-2004 11:33 PM
Gilles,
Thanks for helping me out.
I´ve two configs. The first works well with http and the second works well with https. But both on the same time is the problem.
Custommers connect with http to the web page and there is an automatic redirection to https.
HTTP config
module ContentSwitchingModule 7
ft group 10 vlan 130
priority 100
preempt
!
vlan 120 server
ip address 192.168.254.50 255.255.255.0
alias 192.168.254.254 255.255.255.0
!
vlan 110 client
ip address 172.30.0.50 255.255.255.0
gateway 172.30.0.254
!
serverfarm ICHAIN-SERVERS
nat server
no nat client
predictor leastconns
real 192.168.254.1
inservice
real 192.168.254.2
inservice
!
serverfarm SERVERS-REAL
nat server
no nat client
predictor forward
!
sticky 10 cookie STICKY timeout 20
!
vserver DIRECT-ACCESS
virtual 192.168.254.0 255.255.255.0 any
serverfarm SERVERS-REAL
replicate csrp sticky
replicate csrp connection
persistent rebalance
inservice
!
vserver ICHAIN
virtual 172.30.0.250 any
serverfarm ICHAIN-SERVERS
sticky 20 group 10
replicate csrp sticky
replicate csrp connection
persistent rebalance
inservice
!
!
**************************************************
HTTPS configuration
module ContentSwitchingModule 7
ft group 10 vlan 130
priority 200
preempt
!
vlan 120 server
ip address 192.168.254.40 255.255.255.0
alias 192.168.254.254 255.255.255.0
!
vlan 110 client
ip address 172.30.0.40 255.255.255.0
gateway 172.30.0.254
!
serverfarm ICHAIN-SERVERS
nat server
no nat client
predictor leastconns
real 192.168.254.1 443
inservice
real 192.168.254.2 443
inservice
!
serverfarm SERVERS-REAL
nat server
no nat client
predictor forward
!
sticky 10 cookie STICKY timeout 20
!
sticky 20 ssl timeout 50
!
vserver DIRECT-ACCESS
virtual 192.168.254.0 255.255.255.0 any
serverfarm SERVERS-REAL
replicate csrp sticky
replicate csrp connection
persistent rebalance
inservice
!
vserver ICHAIN
virtual 172.30.0.250 tcp https
serverfarm ICHAIN-SERVERS
sticky 50 group 20
replicate csrp sticky
replicate csrp connection
persistent rebalance
inservice
I hope this is clear for you.
We have two 6509 both with the same CSM module for failover.
Kind regards,
Edwin Gerritsen
!
06-01-2004 12:28 AM
Hi Edwin,
as Gilles wrote, it seems as if you loose the stickieness when moving from HTTP to HTTPS. I'm not sure if your application supports a possible move from HTTP to HTTPS. In the second config is the http vserver missing. I guess you won't be able to access the ICHAIN-webpage per HTTP in the szenario with the 2nd config right?
You have to add another vserver like
vserver ICHAIN_http
virtual 172.30.0.250 tcp www
serverfarm ICHAIN-SERVERS
sticky 20 group 10 (if the above is not a problem else you should use in both Layer3-Client-stickiness)
replicate ...
and so on...
inservice
In my opinion in the 1st config the sticky rule is a problem as the CSM could not check for cookies in HTTPS connections. guess this confuses the CSM a bit and therfore HTTPS is not working. .oO(just my thoughts)
Hope that helps.
Kind regards,
Joerg
06-01-2004 10:11 AM
Joerg,
Thanks for helping me out.
I tried both solutions you provided. First in the http config i changed the sticky and https is now working but without http.
This is the new config:
spanning-tree vlan 100 priority 16384
module ContentSwitchingModule 7
ft group 10 vlan 130
priority 100
preempt
!
vlan 120 server
ip address 192.168.254.50 255.255.255.0
alias 192.168.254.254 255.255.255.0
!
vlan 110 client
ip address 172.30.0.50 255.255.255.0
gateway 172.30.0.254
!
serverfarm ICHAIN-SERVERS
nat server
no nat client
predictor leastconns
real 192.168.254.1
inservice
real 192.168.254.2
inservice
!
serverfarm SERVERS-REAL
nat server
no nat client
predictor forward
!
sticky 10 cookie STICKY timeout 20
!
sticky 20 ssl timeout 50
!
vserver DIRECT-ACCESS
virtual 192.168.254.0 255.255.255.0 any
serverfarm SERVERS-REAL
replicate csrp sticky
replicate csrp connection
persistent rebalance
inservice
!
vserver ICHAIN
virtual 172.30.0.250 any
serverfarm ICHAIN-SERVERS
sticky 50 group 20
replicate csrp sticky
replicate csrp connection
persistent rebalance
inservice
!
!
Kind regards,
Edwin Gerritsen
06-02-2004 01:33 AM
Hi Edwin,
did you take a sniffertrace in VLAN 110/120 and check what is going wrong with http?
Is the http request reachting the reals or is it dropped?
If it is dropped give it a try with the following changes:
sticky 30 netmask 255.255.255.255 address source timeout 20
and
VSERVER ICHAIN
no sticky 50 group 20
sticky 20 group 30
I want to find out if the SSL-stickiness confuses the CSM so that is does not know what to do if non SSL-traffic reaches this VSERVER.
Kind Regards,
Joerg
06-02-2004 04:05 AM
Joerg,
Thanks for helping, you found the solution for my problem. Everything works fine now.
Can you explain what the function is for this statement ?
sticky 30 netmask 255.255.255.255 address source timeout 20
Kind regards
Edwin Gerritsen
06-02-2004 07:09 AM
Hi Edwin,
no problem at all:
this does a per client IP-stickiness.with a timeout of 20 minutes.
Kind Regards,
Joerg Foerster
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide