02-05-2014 12:45 PM
Hi all,
If there is anyone out there thant can help me with this issue it would be greatly appreciated.
One ACE Load balancer, balancing HTTPS traffic to a few servers. Need to insert a x-forward-for on every packet.
To my limited knowledge, this can be done by either enabling header modify per-request or persistance-rebalance.
My issue is if I enable either one of those two, some files are not sent to the client. These files re not actual physical files on the web servers but rather pointers to resources that interpret it. Specifically:
<script src="/GlobalJs" type="text/javascript"></script>
This GlobalJs is not a file but rather a handler that represents a collection of bundled JS files.
1) Is there any way other way to ensure that the X-FORWARD-FOR is inserted each and every time
2) If header modify per-request or persistance-rebalance is the only way then why does ti behave different or have issues with the above <script>?
Thanks in advance
Here is my configuration:
parameter-map type http HTTP_PARAMS
persistence-rebalance
header modify per-request
parameter-map type ssl SSL_PARAMS
session-cache timeout 300
queue-delay timeout 1
ssl-proxy service SSL_CLIENT
ssl advanced-options SSL_PARAMS
ssl-proxy service SSL_SERVER
key key.pem
cert cert.pem
ssl advanced-options SSL_PARAMS
class-map type management match-all PUBLIC_REMOTE
2 match protocol ssh source-address 109.190.124.40 255.255.255.255
class-map type management match-all REMOTE_ACCESS
2 match protocol ssh any
class-map match-all VIP-HTTP
2 match virtual-address 37.59.87.65 tcp eq www
class-map match-all VIP-HTTPS
2 match virtual-address 37.59.87.65 tcp eq https
policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
class REMOTE_ACCESS
permit
policy-map type management first-match REMOTE_PUBLIC_MGMT_ALLOW_POLICY
class PUBLIC_REMOTE
permit
policy-map type loadbalance http first-match HTTP_L7_POLICY
class class-default
serverfarm SERVERFARM_REDIRECT_HTTP
policy-map type loadbalance first-match SSL_BACK
class class-default
serverfarm SERVERFARM_APP
insert-http x-forward header-value "%is"
ssl-proxy client SSL_CLIENT
policy-map type loadbalance https first-match HTTPS_L7_POLICY
class class-default
serverfarm SERVERFARM_APP
policy-map multi-match WEB_TO_VIP
class VIP-HTTPS
loadbalance vip inservice
loadbalance policy SSL_BACK
loadbalance vip icmp-reply active
nat dynamic 1 vlan 3091
appl-parameter http advanced-options HTTP_PARAMS
ssl-proxy server SSL_SERVER
class VIP-HTTP
loadbalance vip inservice
loadbalance policy HTTP_L7_POLICY
interface vlan 500
no shutdown
interface vlan 750
no shutdown
interface vlan 1269
ip address 37.59.87.75 255.255.255.240
alias 37.59.87.73 255.255.255.240
peer ip address 37.59.87.74 255.255.255.240
access-group input ANY
service-policy input REMOTE_PUBLIC_MGMT_ALLOW_POLICY
service-policy input WEB_TO_VIP
no shutdown
interface vlan 3091
ip address 172.31.255.251 255.240.0.0
alias 172.31.255.249 255.240.0.0
peer ip address 172.31.255.250 255.240.0.0
access-group input ANY
nat-pool 1 172.31.255.248 172.31.255.248 netmask 255.240.0.0 pat
service-policy input REMOTE_MGMT_ALLOW_POLICY
no shutdown
02-06-2014 04:31 AM
Hi Telmo,
You are right that for ACE to look at each and every http request you need to use either persistence rebalance or header modify per request but please note that persistence rebalance will also make the ACE to loadbalance every http request and if requirement is to just modify (insert, rewrite, delete) then header modify per request is the best option or you need to use sticky if you are using persistence rebalance. So in your case you should use "header modify per request".
Now coming to your problem i have no idea what does the above script do. But ACE should not remove or modify anything unless it is told to do so. So if you are seeing that applying the above parameters makes the ACE to remove that script from forwarding it to the server then that is a problem. I would suggest opening a TAC case for further investigation. But your configuration looks good. Remove persistence rebalance though.
Regards,
Kanwal
02-06-2014 04:52 AM
Hi Kanwal,
Thanks for the response and for confirming the difference and the use of header insert and persistance balance.
I have found the issue to be the content lenth in fact. The GlobalJS was indeed a file that was larger than other items on the page and by adding:
no persistence-rebalance
header modify per-request
set header-maxparse-length 8196
set content-maxparse-length 8196
length-exceed continue
It now works. I am about to remove the header-maxparse as I dont see why the header on this would be larger than others.
Thanks!
Telmo
02-06-2014 05:05 AM
Hi Telmo,
Sounds good.
Regards,
Kanwal
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide