01-01-2005 11:12 PM
I am transitioning web sites that primarily use ssl to be offloaded with the ssl module. we have multiple web sites on a pair of load-balanced servers using the same VIP. We are parsing on the http host header to determine which site is being requested.
I would like to have the root page go through in clear text and all other pages of the web sites redirected to port 443.
I configured the following (summarized).
policy1
match url /
serverfarm www-farm
policy2
match header host www.example.com
serverfarm redirect-farm1 (https redirect)
policy3
match header host www.sample.com
serverfarm redirect-farm2 (https redirect)
vserver
ipadd 1.1.1.1 http www
policy1
policy2
policy3
What I saw happening was the home page connected in clear text like expected. Then using the same browser window, I added a subpage to the end of the url. This request also went through in cleartext. The csm stats didn't show any additional layer 7 policy matches for the non-root requests after the first root page request. However, the non-root pages were being accessed in clear text. I had to clear the connection in the CSM to get the non-root page to redirect to https after first requesting the root page. If I requested the the non-root page without first requesting the root page, it was redirected to https.
I had previously configured policies using only url matching and it seemed to work properly (need to recheck this for peice of mind). The only reason I wanted to use both url and header matching was due to the fact that a single VIP serves multiple sites.
If combining url matching and header matching isn't possible, I will probably change the dns entries for the multilple sites, use a separate VIP, and use only url matching to achieve the desired functionality.
I would prefer not to change the DNS setup due to some of the pages on the server being parsed on the host header containing just the IP address. I appreciate any suggestions.
01-02-2005 12:32 AM
this should work.
Did you have 'persistent rebalance' enable ?
What are your redirect-farm ?
Is it a CSM redirect or pointing to another server doing the redirect ?
Finally, I don't know how many sites you have sharing the same ip but the CSM is very limited in the number of host matching it can do max 6 to 10.
This is because of the small search tree memory.
You can do a 'sho mod csm x memory' to see if you reached the limit or not.
Therefore, I would strongly recommend to use 1 ip per domain name.
Regards,
Gilles.
01-02-2005 01:24 PM
Gilles,
Thanks for the reply!
I did not have persistent rebalance enabled. Would this feature being enabled force a policy check for every get request?
We have 3 or 4 sites sharing the same ip. I'll use the 'sho mod csm x memory' command to see if I am reaching the limit.
Thanks again.
01-02-2005 01:27 PM
I missed answering one of your questions. The redirect-farm is a CSM redirect not a real server doing a redirect.
Thank you,
Mark
01-02-2005 05:12 PM
Gilles,
I did some more research on the 'persistent rebalance' command. It is enabled by default for vservers with L7 policies applied so that each get request will be checked against the policies. I must have disabled it when configuring the vserver.
I'm sure this is why my config did not work correctly. If you don't hear from me, you'll know it was.
Thank you for taking the time to answer my question!
Mark
01-06-2005 02:42 PM
Gilles,
The 'persistent rebalance' did the trick.
Thanks,
Mark
01-07-2005 01:20 AM
Mark,
glad to hear you have everything ok.
May I ask you to rate the post so other people can quickly identify discussions with valid content.
Thanks,
Gilles.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide