cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Bookmark
|
Subscribe
|
1690
Views
0
Helpful
8
Replies

Does ACE hide a port from url

b.youssef
Level 1
Level 1

Hi all,

i need help in configuring ACE 4710 to hide Oracle application server port (tcp 7777) from the URL.

the load balancing betwwen the two servers is functioning but i need to eleminate the port from url

the clients access to http://www.example.com or https://www.example.com but they see on their browsers http://www.example.com:7777.

i'm using this guide:


Thank you .

8 Replies 8

pablo.nxh
Level 3
Level 3

Hi buddy,

ACE will take care of port translation as long as you define your backend server ports under the serverfarm as follows:

rserver host DB-1
  ip address 192.168.1.11
  inservice
rserver host DB-2
  ip address 192.168.1.12
  inservice

serverfarm host DB
  rserver DB-1 7777
    inservice
  rserver DB-2 7777
    inservice

class-map match-all Database
  2 match virtual-address 172.16.51.30 tcp eq www


policy-map type loadbalance first-match SLB
  class class-default
    serverfarm DB

policy-map multi-match CLIENT_VIPS
  class Database
    loadbalance vip inservice
    loadbalance policy SLB
    loadbalance vip icmp-reply active

In this scenario the ACE receives traffic as http://mydomain.com (port 80) but the traffic is sent to the servers over port 7777.

This is completely transparent to the client, 7777 will not be shown at any time on client's browser.

HTH

__ __

Pablo

except if there are hardcoded links or 302 redirect sent by the application.

Hi all,

the configuration done on the ACE is as follows:

probe tcp ACE-PORTAL
  port 7777
  interval 10
  passdetect interval 2
  passdetect count 1
  open 1

rserver host portal1
  ip address 192.168.90.179
  inservice
rserver host portal2
  ip address 192.168.90.181
  inservice


serverfarm host portal
  probe ACE-PORTAL
  probe PING
  rserver portal1 7777
    inservice
  rserver portal2 7777
    inservice

sticky ip-netmask 255.255.255.255 address both portal-sticky
  timeout 30
  serverfarm portal

class-map match-all VIP-portal-http
  2 match virtual-address 192.168.90.185 tcp eq www

policy-map multi-match portal-policy-map
  class VIP-portal-http
    loadbalance vip inservice
    loadbalance policy portal-policy

interface vlan 10
  bridge-group 1
  access-group input BPDU-Allow
  access-group input portal-acl
  service-policy input portal-policy-map
  no shutdown
interface vlan 11
  bridge-group 1
  access-group input BPDU-Allow
  access-group input portal-acl
  service-policy input portal-policy-map
  no shutdown

But i have usually the same result the tcp port 7777 appears on the client browser. i have used wireshark, the server sends an http error 302:

HTTP/1.1 302 moved temporarily

I have used this guide for Oracle:

http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps6906/prod_white_paper0900aecd804edab0.html

any other help.

Regards.

Hi all,

without ACE, the clients request http://www.xyz.com and on their browser they get

http://www.xyz.com:7777/portal/page?_pageid=257,1,257_1753518&_dad=portal&_schema=PORTAL

So they need to hide the port 7777 with ACE and just see http://www.lip.gov.ly/portal/page?_pageid=257,1,257_1753518&_dad=portal&_schema=PORTAL

with Wireshark the server sends HTTP/1.1 removed-temporarily.

new config:

rserver redirect REDIRECT-TO-HTTP
  webhost-redirection http://%h/%p 302
  inservice

serverfarm redirect HTTP-REDIRECT-SFARM
  rserver REDIRECT-TO-HTTP
    inservice

serverfarm host portal
  probe ACE-PORTAL
  probe PING
  rserver portal1 7777
    inservice
  rserver portal2 7777
    inservice

sticky http-cookie HTTP sticky-HTTP
  cookie insert browser-expire
  timeout 720
  serverfarm portal

class-map type http loadbalance match-any PORTAL-HTTP
  2 match http url /portal.*
  3 match http url /portal*

class-map match-any VIP-portal-http
  2 match virtual-address 192.168.90.185 tcp eq www
  3 match virtual-address 192.168.90.185 any

policy-map type loadbalance first-match portal-policy
  class PORTAL-HTTP
    sticky-serverfarm sticky-HTTP
  class class-default
    serverfarm HTTP-REDIRECT-SFARM

policy-map multi-match portal-policy-map

class VIP-portal-http
    loadbalance vip inservice
    loadbalance policy portal-policy
    loadbalance vip icmp-reply

interface vlan 10
  bridge-group 1
  access-group input BPDU-Allow
  access-group input portal-acl
  service-policy input portal-policy-map
  no shutdown


interface vlan 11
  bridge-group 1
  access-group input BPDU-Allow
  access-group input portal-acl
  service-policy input portal-policy-map
  no shutdown

Hi,

301-302 are not HTTP errors, they are HTTP redirect response codes.

If this redirect you're seeing was embedded into the code there's no much you can do as the ACE will not have that inspected.

Now if it was manually entered into the web server you could try to rewrite the response with an action list:

action-list type modify http RewriteHost

   header rewrite response location header-value "http://example.com:7777/(.*)"  replace  "http://example.com/%1"

Here you can check all the details about action list and how it is applied http://xrl.us/bidxyj

You may also need a parameter map to modify each response


parameter-map type http RewriteHost

    header modify per-request

HTH

__ __

Pablo

Hi all,

i have done the same configuration but it still not functioning, this is the configuration:

config:

access-list BPDU-Allow ethertype permit bpdu

access-list portal-acl line 1 extended permit ip any any


probe tcp HTTP7777
  port 7777
  interval 30
  passdetect interval 10
  open 1


probe icmp PING
  interval 3
  passdetect interval 60

parameter-map type http RewriteHost
  persistence-rebalance
  header modify per-request

rserver host portal1
  ip address 192.168.90.179
  inservice
rserver host portal2
  ip address 192.168.90.181
  inservice

action-list type modify http RewriteHost
  header rewrite response location header-value "http://www.example.com:7777/(.*)" replace "http://www.example.com/(.*)"

serverfarm host portal
  probe HTTP7777
  probe PING
  rserver portal1 7777
    inservice
  rserver portal2 7777
    inservice

sticky ip-netmask 255.255.255.255 address source portal-sticky
  timeout 30
  replicate sticky
  serverfarm portal


class-map match-any VIP-portal-http

  2 match virtual-address 192.168.90.185 tcp eq www

  3 match virtual-address 192.168.90.185 any

class-map match-all VIP-portal-https

  2 match virtual-address 192.168.90.185 tcp eq https

policy-map type loadbalance first-match portal-policy

  class class-default

    sticky-serverfarm portal-sticky

    action RewriteHost


policy-map multi-match portal-policy-map

  class VIP-portal-https

    loadbalance vip inservice
    loadbalance policy portal-policy
    loadbalance vip icmp-reply
  class VIP-portal-http
    loadbalance vip inservice
    loadbalance policy portal-policy
    loadbalance vip icmp-reply
    appl-parameter http advanced-options RewriteHost

interface vlan 10
  bridge-group 1
  access-group input BPDU-Allow
  access-group input portal-acl
  service-policy input portal-policy-map
  no shutdown
interface vlan 11
  bridge-group 1
  access-group input BPDU-Allow
  access-group input portal-acl
  service-policy input portal-policy-map
  no shutdown

interface bvi 1
  ip address 192.168.90.190 255.255.255.240
  peer ip address 192.168.90.189 255.255.255.240
  no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.90.177

Note : if i add the line 3 (Red highligted) in the class-map, the url is functioning but the port 7777 still appears in the url, if we delete this entry the url is not functioning!!!!!

Any help.

Hi all,

Until now i have the same problem.

Any help .

Regards.

Please give us some live http header trace.

Review Cisco Networking for a $25 gift card