cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1714
Views
0
Helpful
3
Replies

CSS 11501 Load Balancing with X-forwarded-for

itech
Level 1
Level 1

Hi,

We have a pair of CSS 11501,

Currently it is using source ip for load balancing and 5 servers as backend , however we have users loggin in using http and based on its source IP (ISP PROXY) , it is forwarded to SERVER A.

However, we have a SSL page and when the client switches over to SSL , it is forwarded to SERVER B/C/D/E  based on its source IP ( REAL CLIENT IP) .

This will cause the user to be terminated as the 5 servers are independent and not running in a cluster.

Is there any way that we can use the X-Forwarded-For address to load balance so that when users loging , they are sent to SERVER A (Based on X-Forwarded-For Header IP which translate to REAL CLIENT IP).

This way we are able to also send it back to the same server when it uses SSL.

I believe that we should be able to load balance using X-Forwarded-For IP or to rewrite the X-Forwarded-For IP into client source IP

Regards

3 Replies 3

rodrguti_2
Level 1
Level 1

Hi,

Unfortunately CSS does not support X-Forwarded-For, and even if CSS supports that, this wont work if you are not using SSL termination.

One option that you can use here, is using SSL termination, so you can manage the SSL traffic on HTTP on the CSS, in this way you can use the same HTTP content rule which is the one currently working.

In summary, you will have an SSL content rule that will decrypt the traffic, and this one will use the same content rule that already exist for HTTP, in case that the server is the one doing the redirect to SSL, but this is something that requires testing since depending on the redirect behavior we might have a redirect loop, but without details it is kind of hard to confirm that you will face this with this option.

Another option, which is less complex, is to use a portless content rule, so this content rule will match port 443 and 80 at the same time, and using sticky or balance based on source IP, you will get the same result with less config. The downside is the troubleshooting, but in this way you will have what you want.

  content HTTP-HTTPS

    vip address 10.198.44.70

    advanced-balance sticky-srcip

    add service server1

    add service server2

    add service server3

    add service server4

    add service server5

    protocol tcp

    active

Here the content rule is not looking for the destination port, it is just looking for the source IP, and HTTP and HTTPS will end all the time on the same server.

Thanks,

Rodrigo

But there is a problem with the source IP ,

Users passing through a proxy server (ISP's mandatory) will have its source IP listed as the proxy's server IP.

however when the SSL is initiated, the source IP is actually the client's true IP.

Therefore the problem.

Regards

Hi,

Yes, in that case you will need to use SSL termination, since lets say that the packet is coming with the X-Forwarder already inserted on the HTTP header, the CSS is not going to be able to parse that info if we are not doing SSL termination.

That configuration can be used with header-field-group.

Regards

Review Cisco Networking for a $25 gift card