11-30-2011 05:04 AM
Hi Experts,
I am facing the following problem (some sort of proxy loadbalancing). The ACE should make forward decision based on the following logic:
if scheme==https
{
use serverpool A
}
else
{ if host in url_list
{
use serverpool B
}
else
{
use serverpool C
}
}
Well, the problem is, that all traffic arrives on the VIP the same TCP port 8080.
I was thinking if HTTP and HTTPS could be distinguished based on the layer-4-payload first characters (GET or POST), suspecting anything else as HTTPS. This can be carried out in GENERIC type of class-maps.
The next step is the url_list matching, which could be don in type HTTP class-maps. (url_list consists approx. of 20 lines)
The problem what I see, that I cannot nest two different L7 class-map types.
Could that work if I use only generic type class-maps and trying to match the URLs within the HTTP header with layer-4-payload regexp? How long reads the ace, starting from the offset for regexp matching int the L4 payload? (
Does someone has any idea?
Thanks, and regards:
jonagy
11-30-2011 07:25 AM
The generic class-map way doesn't work:
class-map type generic match-any CLASS7-HTTP
10 match layer4-payload regex GET
20 match layer4-payload regex POST
class-map type generic match-any CLASS7-URL
10 match layer4-payload regex cisco[.]com
20 match layer4-payload regex google[.]com
class-map type generic match-all CLASS7-HTTP+URL
10 match class-map CLASS7-HTTP
20 match class-map CLASS7-URL
results in:
Error: Multiple match layer4-payload cmds are invalid for match-all class-map
as it is written in the guide as well.
Any idea?
regards:
jonagy
11-30-2011 12:22 PM
Hi Jonagy,
It can be done but a little bit different as you presented:
- If HTTP then use pool A
- If HTTPS or "else" use pool B
You can do something like:
class-map match-any cc
2 match virtual-address 10.10.10.10 eq any
class-map type http loadbalance match-any HTTP
match http url .*
policy-map type loadbalance first-match Proxy
class HTTP
serverfarm HTTP
class class-default
serverfarm HTTPS
This should match any HTTP request with any URL where .* is a wildcard, when the ACE can't read L5 payload because of HTTPS encryption then it would be sent to the class-default.
HTH
__ __
Pablo
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: