Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1996
Views
0
Helpful
3
Replies

header modify per-request messes up virtual resources

telmosilva1
Level 1
Level 1

‎02-05-2014 12:45 PM

Hi all,

If there is anyone out there thant can help me with this issue it would be greatly appreciated.

One ACE Load balancer, balancing HTTPS traffic to a few servers.  Need to insert a x-forward-for on every packet.

To my limited knowledge, this can be done by either enabling header modify per-request or persistance-rebalance.

My issue is if I enable either one of those two, some files are not sent to the client.  These files re not actual physical files on the web servers but rather pointers to resources that interpret it.  Specifically:

<script src="/GlobalJs" type="text/javascript"></script>

This GlobalJs is not a file but rather a handler that represents a collection of bundled JS files.


1) Is there any way other way to ensure that the X-FORWARD-FOR is inserted each and every time

2) If header modify per-request or persistance-rebalance is the only way then why does ti behave different or have issues with the above <script>?

Thanks in advance

Here is my configuration:

parameter-map type http HTTP_PARAMS

  persistence-rebalance

  header modify per-request

parameter-map type ssl SSL_PARAMS

  session-cache timeout 300

  queue-delay timeout 1

ssl-proxy service SSL_CLIENT

  ssl advanced-options SSL_PARAMS

ssl-proxy service SSL_SERVER

  key key.pem

  cert cert.pem

  ssl advanced-options SSL_PARAMS

class-map type management match-all PUBLIC_REMOTE

  2 match protocol ssh source-address 109.190.124.40 255.255.255.255

class-map type management match-all REMOTE_ACCESS

  2 match protocol ssh any

class-map match-all VIP-HTTP

  2 match virtual-address 37.59.87.65 tcp eq www

class-map match-all VIP-HTTPS

  2 match virtual-address 37.59.87.65 tcp eq https

policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY

  class REMOTE_ACCESS

    permit

policy-map type management first-match REMOTE_PUBLIC_MGMT_ALLOW_POLICY

  class PUBLIC_REMOTE

    permit

policy-map type loadbalance http first-match HTTP_L7_POLICY

  class class-default

    serverfarm SERVERFARM_REDIRECT_HTTP

policy-map type loadbalance first-match SSL_BACK

  class class-default

    serverfarm SERVERFARM_APP

    insert-http x-forward header-value "%is"

    ssl-proxy client SSL_CLIENT

policy-map type loadbalance https first-match HTTPS_L7_POLICY

  class class-default

    serverfarm SERVERFARM_APP

policy-map multi-match WEB_TO_VIP

  class VIP-HTTPS

    loadbalance vip inservice

    loadbalance policy SSL_BACK

    loadbalance vip icmp-reply active

    nat dynamic 1 vlan 3091

    appl-parameter http advanced-options HTTP_PARAMS

    ssl-proxy server SSL_SERVER

  class VIP-HTTP

    loadbalance vip inservice

    loadbalance policy HTTP_L7_POLICY

interface vlan 500

  no shutdown

interface vlan 750

  no shutdown

interface vlan 1269

  ip address 37.59.87.75 255.255.255.240

  alias 37.59.87.73 255.255.255.240

  peer ip address 37.59.87.74 255.255.255.240

  access-group input ANY

  service-policy input REMOTE_PUBLIC_MGMT_ALLOW_POLICY

  service-policy input WEB_TO_VIP

  no shutdown

interface vlan 3091

  ip address 172.31.255.251 255.240.0.0

  alias 172.31.255.249 255.240.0.0

  peer ip address 172.31.255.250 255.240.0.0

  access-group input ANY

  nat-pool 1 172.31.255.248 172.31.255.248 netmask 255.240.0.0 pat

  service-policy input REMOTE_MGMT_ALLOW_POLICY

  no shutdown


Labels:
0 Helpful
3 Replies 3

Kanwaljeet Singh
Cisco Employee
Cisco Employee

‎02-06-2014 04:31 AM

Hi Telmo,

You are right that for ACE to look at each and every http request you need to use either persistence rebalance or header modify per request  but please note that persistence rebalance will also make the ACE to loadbalance every http request and if requirement is to just modify (insert, rewrite, delete) then header modify per request is the best option or you need to use sticky if you are using persistence rebalance. So in your case you should use "header modify per request".

Now coming to your problem i have no idea what does the above script do. But ACE should not remove or modify anything unless it is told to do so. So if you are seeing that applying the above parameters makes the ACE to remove that script from forwarding it to the server then that is a problem. I would suggest opening a TAC case for further investigation. But your configuration looks good. Remove persistence rebalance though.

Regards,

Kanwal

0 Helpful

telmosilva1
Level 1
Level 1
In response to Kanwaljeet Singh

‎02-06-2014 04:52 AM

Hi Kanwal,

Thanks for the response and for confirming the difference and the use of header insert and persistance balance.

I have found the issue to be the content lenth in fact.  The GlobalJS was indeed a file that was larger than other items on the page and by adding:

  no persistence-rebalance

  header modify per-request

  set header-maxparse-length 8196

  set content-maxparse-length 8196

  length-exceed continue

It now works.  I am about to remove the header-maxparse as I dont see why the header on this would be larger than others. 

Thanks!

Telmo

0 Helpful

Kanwaljeet Singh
Cisco Employee
Cisco Employee
In response to telmosilva1

‎02-06-2014 05:05 AM

Hi Telmo,

Sounds good.

Regards,

Kanwal

0 Helpful
Customers Also Viewed These Support Documents