Does ACE hide a port from url
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-04-2011 04:12 AM
Hi all,
i need help in configuring ACE 4710 to hide Oracle application server port (tcp 7777) from the URL.
the load balancing betwwen the two servers is functioning but i need to eleminate the port from url
the clients access to http://www.example.com or https://www.example.com but they see on their browsers http://www.example.com:7777.
i'm using this guide:
Thank you .
- Labels:
-
Application Networking
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-05-2011 09:03 AM
Hi buddy,
ACE will take care of port translation as long as you define your backend server ports under the serverfarm as follows:
rserver host DB-1
ip address 192.168.1.11
inservice
rserver host DB-2
ip address 192.168.1.12
inservice
serverfarm host DB
rserver DB-1 7777
inservice
rserver DB-2 7777
inservice
class-map match-all Database
2 match virtual-address 172.16.51.30 tcp eq www
policy-map type loadbalance first-match SLB
class class-default
serverfarm DB
policy-map multi-match CLIENT_VIPS
class Database
loadbalance vip inservice
loadbalance policy SLB
loadbalance vip icmp-reply active
In this scenario the ACE receives traffic as http://mydomain.com (port 80) but the traffic is sent to the servers over port 7777.
This is completely transparent to the client, 7777 will not be shown at any time on client's browser.
HTH
__ __
Pablo
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-05-2011 10:05 AM
except if there are hardcoded links or 302 redirect sent by the application.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-06-2011 12:57 AM
Hi all,
the configuration done on the ACE is as follows:
probe tcp ACE-PORTAL
port 7777
interval 10
passdetect interval 2
passdetect count 1
open 1
rserver host portal1
ip address 192.168.90.179
inservice
rserver host portal2
ip address 192.168.90.181
inservice
serverfarm host portal
probe ACE-PORTAL
probe PING
rserver portal1 7777
inservice
rserver portal2 7777
inservice
sticky ip-netmask 255.255.255.255 address both portal-sticky
timeout 30
serverfarm portal
class-map match-all VIP-portal-http
2 match virtual-address 192.168.90.185 tcp eq www
policy-map multi-match portal-policy-map
class VIP-portal-http
loadbalance vip inservice
loadbalance policy portal-policy
interface vlan 10
bridge-group 1
access-group input BPDU-Allow
access-group input portal-acl
service-policy input portal-policy-map
no shutdown
interface vlan 11
bridge-group 1
access-group input BPDU-Allow
access-group input portal-acl
service-policy input portal-policy-map
no shutdown
But i have usually the same result the tcp port 7777 appears on the client browser. i have used wireshark, the server sends an http error 302:
HTTP/1.1 302 moved temporarily
I have used this guide for Oracle:
any other help.
Regards.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-06-2011 04:47 AM
Hi all,
without ACE, the clients request http://www.xyz.com and on their browser they get
http://www.xyz.com:7777/portal/page?_pageid=257,1,257_1753518&_dad=portal&_schema=PORTAL
So they need to hide the port 7777 with ACE and just see http://www.lip.gov.ly/portal/page?_pageid=257,1,257_1753518&_dad=portal&_schema=PORTAL
with Wireshark the server sends HTTP/1.1 removed-temporarily.
new config:
rserver redirect REDIRECT-TO-HTTP
webhost-redirection http://%h/%p 302
inservice
serverfarm redirect HTTP-REDIRECT-SFARM
rserver REDIRECT-TO-HTTP
inservice
serverfarm host portal
probe ACE-PORTAL
probe PING
rserver portal1 7777
inservice
rserver portal2 7777
inservice
sticky http-cookie HTTP sticky-HTTP
cookie insert browser-expire
timeout 720
serverfarm portal
class-map type http loadbalance match-any PORTAL-HTTP
2 match http url /portal.*
3 match http url /portal*
class-map match-any VIP-portal-http
2 match virtual-address 192.168.90.185 tcp eq www
3 match virtual-address 192.168.90.185 any
policy-map type loadbalance first-match portal-policy
class PORTAL-HTTP
sticky-serverfarm sticky-HTTP
class class-default
serverfarm HTTP-REDIRECT-SFARM
policy-map multi-match portal-policy-map
class VIP-portal-http
loadbalance vip inservice
loadbalance policy portal-policy
loadbalance vip icmp-reply
interface vlan 10
bridge-group 1
access-group input BPDU-Allow
access-group input portal-acl
service-policy input portal-policy-map
no shutdown
interface vlan 11
bridge-group 1
access-group input BPDU-Allow
access-group input portal-acl
service-policy input portal-policy-map
no shutdown
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-06-2011 10:28 AM
Hi,
301-302 are not HTTP errors, they are HTTP redirect response codes.
If this redirect you're seeing was embedded into the code there's no much you can do as the ACE will not have that inspected.
Now if it was manually entered into the web server you could try to rewrite the response with an action list:
action-list type modify http RewriteHost
header rewrite response location header-value "http://example.com:7777/(.*)" replace "http://example.com/%1"
Here you can check all the details about action list and how it is applied http://xrl.us/bidxyj
You may also need a parameter map to modify each response
parameter-map type http RewriteHost
header modify per-request
HTH
__ __
Pablo
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-10-2011 01:48 AM
Hi all,
i have done the same configuration but it still not functioning, this is the configuration:
config:
access-list BPDU-Allow ethertype permit bpdu
access-list portal-acl line 1 extended permit ip any any
probe tcp HTTP7777
port 7777
interval 30
passdetect interval 10
open 1
probe icmp PING
interval 3
passdetect interval 60
parameter-map type http RewriteHost
persistence-rebalance
header modify per-request
rserver host portal1
ip address 192.168.90.179
inservice
rserver host portal2
ip address 192.168.90.181
inservice
action-list type modify http RewriteHost
header rewrite response location header-value "http://www.example.com:7777/(.*)" replace "http://www.example.com/(.*)"
serverfarm host portal
probe HTTP7777
probe PING
rserver portal1 7777
inservice
rserver portal2 7777
inservice
sticky ip-netmask 255.255.255.255 address source portal-sticky
timeout 30
replicate sticky
serverfarm portal
class-map match-any VIP-portal-http
2 match virtual-address 192.168.90.185 tcp eq www
3 match virtual-address 192.168.90.185 any
class-map match-all VIP-portal-https
2 match virtual-address 192.168.90.185 tcp eq https
policy-map type loadbalance first-match portal-policy
class class-default
sticky-serverfarm portal-sticky
action RewriteHost
policy-map multi-match portal-policy-map
class VIP-portal-https
loadbalance vip inservice
loadbalance policy portal-policy
loadbalance vip icmp-reply
class VIP-portal-http
loadbalance vip inservice
loadbalance policy portal-policy
loadbalance vip icmp-reply
appl-parameter http advanced-options RewriteHost
interface vlan 10
bridge-group 1
access-group input BPDU-Allow
access-group input portal-acl
service-policy input portal-policy-map
no shutdown
interface vlan 11
bridge-group 1
access-group input BPDU-Allow
access-group input portal-acl
service-policy input portal-policy-map
no shutdown
interface bvi 1
ip address 192.168.90.190 255.255.255.240
peer ip address 192.168.90.189 255.255.255.240
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.90.177
Note : if i add the line 3 (Red highligted) in the class-map, the url is functioning but the port 7777 still appears in the url, if we delete this entry the url is not functioning!!!!!
Any help.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-11-2011 01:56 AM
Hi all,
Until now i have the same problem.
Any help .
Regards.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-11-2011 02:27 AM
Please give us some live http header trace.
