Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1046
Views
0
Helpful
2
Replies

HTTP and HTTPS on identical TCP port

jonagyula
Level 1
Level 1

‎11-30-2011 05:04 AM

Hi Experts,

   I am facing the following problem (some sort of proxy loadbalancing). The ACE should make forward decision based on the following logic:

if scheme==https

{

   use serverpool A

}

else

{ if host in url_list

  {

     use serverpool B

  }

  else

  {

     use serverpool C

  }

}

Well, the problem is, that all traffic arrives on the VIP the same TCP port 8080.

I was thinking if HTTP and HTTPS could be distinguished based on the layer-4-payload first characters (GET or POST), suspecting anything else as HTTPS. This can be carried out in GENERIC type of class-maps.

The next step is the url_list matching, which could be don in type HTTP class-maps. (url_list consists approx. of 20 lines)

The problem what I see, that I cannot nest two different L7 class-map types.

Could that work if I use only generic type class-maps and trying to match the URLs within the HTTP header with layer-4-payload regexp? How long reads the ace, starting from the offset for regexp matching int the L4 payload? (

Does someone has any idea?

Thanks, and regards:

jonagy

Labels:
0 Helpful
2 Replies 2

jonagyula
Level 1
Level 1

‎11-30-2011 07:25 AM

The generic class-map way doesn't work:

class-map type generic match-any CLASS7-HTTP

  10 match layer4-payload regex GET

  20 match layer4-payload regex POST

class-map type generic match-any CLASS7-URL

  10 match layer4-payload regex cisco[.]com

  20 match layer4-payload regex google[.]com

class-map type generic match-all CLASS7-HTTP+URL

  10 match class-map CLASS7-HTTP

  20 match class-map CLASS7-URL

results in:

Error: Multiple match layer4-payload cmds are invalid for match-all class-map

as it is written in the guide as well.

Any idea?

regards:

jonagy

0 Helpful

pablo.nxh
Level 3
Level 3
In response to jonagyula

‎11-30-2011 12:22 PM

Hi Jonagy,

It can be done but a little bit different as you presented:

- If HTTP then use pool A

- If HTTPS or "else" use pool B

You can do something like:

class-map match-any cc

  2 match virtual-address 10.10.10.10 eq any

class-map type http loadbalance match-any HTTP

  match http url .*

policy-map type loadbalance first-match Proxy

  class HTTP

    serverfarm HTTP

  class class-default

    serverfarm HTTPS

This should match any HTTP request with any URL where .* is a wildcard, when the ACE can't read L5 payload because of HTTPS encryption then it would be sent to the class-default.

HTH

__ __

Pablo

0 Helpful
Customers Also Viewed These Support Documents