I am transitioning web sites that primarily use ssl to be offloaded with the ssl module. we have multiple web sites on a pair of load-balanced servers using the same VIP. We are parsing on the http host header to determine which site is being requested.
I would like to have the root page go through in clear text and all other pages of the web sites redirected to port 443.
I configured the following (summarized).
match url /
match header host www.example.com
serverfarm redirect-farm1 (https redirect)
match header host www.sample.com
serverfarm redirect-farm2 (https redirect)
ipadd 184.108.40.206 http www
What I saw happening was the home page connected in clear text like expected. Then using the same browser window, I added a subpage to the end of the url. This request also went through in cleartext. The csm stats didn't show any additional layer 7 policy matches for the non-root requests after the first root page request. However, the non-root pages were being accessed in clear text. I had to clear the connection in the CSM to get the non-root page to redirect to https after first requesting the root page. If I requested the the non-root page without first requesting the root page, it was redirected to https.
I had previously configured policies using only url matching and it seemed to work properly (need to recheck this for peice of mind). The only reason I wanted to use both url and header matching was due to the fact that a single VIP serves multiple sites.
If combining url matching and header matching isn't possible, I will probably change the dns entries for the multilple sites, use a separate VIP, and use only url matching to achieve the desired functionality.
I would prefer not to change the DNS setup due to some of the pages on the server being parsed on the host header containing just the IP address. I appreciate any suggestions.
this should work.
Did you have 'persistent rebalance' enable ?
What are your redirect-farm ?
Is it a CSM redirect or pointing to another server doing the redirect ?
Finally, I don't know how many sites you have sharing the same ip but the CSM is very limited in the number of host matching it can do max 6 to 10.
This is because of the small search tree memory.
You can do a 'sho mod csm x memory' to see if you reached the limit or not.
Therefore, I would strongly recommend to use 1 ip per domain name.
Thanks for the reply!
I did not have persistent rebalance enabled. Would this feature being enabled force a policy check for every get request?
We have 3 or 4 sites sharing the same ip. I'll use the 'sho mod csm x memory' command to see if I am reaching the limit.
I did some more research on the 'persistent rebalance' command. It is enabled by default for vservers with L7 policies applied so that each get request will be checked against the policies. I must have disabled it when configuring the vserver.
I'm sure this is why my config did not work correctly. If you don't hear from me, you'll know it was.
Thank you for taking the time to answer my question!
glad to hear you have everything ok.
May I ask you to rate the post so other people can quickly identify discussions with valid content.