[f-nsp] http -> https redirect

Mischa Peters foundry at high5.nl
Thu Nov 20 12:27:22 EST 2008 

Hi Anil,

I would suggest the following:

server port 80
  tcp keepalive 5 3
  tcp l4-check-only
!
server port 443
  tcp keepalive 5 3
  tcp l4-check-only
!
server real fe-sf1-01 1.2.3.4
source-nat access-list 84
port http
port http url "GET /"
port ssl
!
server real fe-sf1-02 1.2.3.5
source-nat access-list 84
port http
port http url "GET /"
port ssl
!
server virtual sfaccess-amer 1.2.3.6
port http
port http csw-policy "ssl-convergence"
port http csw
port ssl sticky
bind http fe-sf1-02 http
bind ssl fe-sf1-02 ssl

Sticky makes sure that the same all consecutive requests coming from a  
client will go to the same server. This to prevent redoing the SSL  
handshake every single time a request comes in.

port http url "GET /" is a HTTP health check that the ServerIron does,  
but since you set l4-check-only this check will not be performed.
In this case the ServerIron will only check if port 80 is up.

The server port <port#> are port profiles that define port behavior  
for the real servers.
In this case I told the ServerIron to healthcheck the servers in port  
80 and 443 every 5 seconds and test 3 times. This is the same behavior  
as adding keepalive at a real server port. (port http keepalive). The  
benefit of a port profile is that it's very easy to chance port  
behavior with only a couple commands.

Good luck!

Mischa

> You guys are confusing me. :) Everyone gave me different answers.
>
> How exactly should the virtual server definition be setup?
>
>
> bind http fe-sf1-02 http
> bind ssl fe-sf1-02 ssl
>
> or
> bind http RS1 180   (using "shadow ports", someone recommended)
> bind ssl RS1 http
>
> or
> bind ssl bla http bla2 http
> bind http bla 180 real-port http bla2 180 real-port http   (what will
> the real-port do?)
>
>
> What does the "sticky" option do?
> Also, in this context what does the port http url "GET /" do? Does it
> match client's doing a GET / on their browser on port 80? If they goto
> say http://host/something/else, it won't match?
>
>
> This is what I have now. Thanks!
>
> !
> server real fe-sf1-01 1.2.3.4
> source-nat access-list 84
> port http
> port http keepalive
> port http url "GET /"
> port http l4-check-only
> port 81
> port 81 no-health-check
> port 81 keepalive
> port 81 l4-check-only
> port ssl
> !
> server real fe-sf1-02 1.2.3.5
> source-nat access-list 84
> port http
> port http keepalive
> port http url "GET /"
> port 81
> port 81 no-health-check
> port 81 keepalive
> port 81 l4-check-only
> port ssl
> !
> !
> server virtual sfaccess-amer 1.2.3.6
> port http
> port http csw-policy "ssl-convergence"
> port http csw
> port ssl sticky
> bind http fe-sf1-02 http
> bind ssl fe-sf1-02 ssl
> !
>
> On Thu, Nov 20, 2008 at 6:03 AM, Ronald Esveld <ronald.esveld at qi.nl>  
> wrote:
>> Sended him the correct one as well :)
>>
>>
>> Met vriendelijke groet, With kind regards,
>>
>> Ronald Esveld
>> network engineer
>>
>> Qi ict
>> Delftechpark 35-37
>> Postbus 402, 2600 AK Delft
>>
>> T : +31 15 888 0 444
>> F : +31 15 888 0 445
>> E : mailto:ronald.esveld at qi.nl
>> I : http://www.qi.nl/
>>
>> Qi ict evenementen:
>> Qi ict op de http://www.qi.nl/cms/publish/content/showpage.asp?pageid=431
>>
>> -----Oorspronkelijk bericht-----
>> Van: Mischa Peters [mailto:foundry at high5.nl]
>> Verzonden: donderdag 20 november 2008 14:54
>> Aan: Ronald Esveld
>> CC: Anil; foundry-nsp at puck.nether.net
>> Onderwerp: Re: [f-nsp] http -> https redirect
>>
>> That won't work.
>> What happens in this case is that the server will receive an HTTPS
>> request on port 80. They wouldn't know what to do with it.
>>
>> You need something like:
>>
>> csw-policy "p1"
>> default redirect "*" "*" ssl
>> !
>> server real www1 192.168.0.2
>> port http
>> port http url "GET /hc.php"
>> port ssl
>> !
>> server real www2 192.168.0.3
>> port http
>> port http url "GET /hc.php"
>> port ssl
>> !
>> server virtual www 192.168.0.80
>> port http
>> port http csw-policy "p1"
>> port http csw
>> port ssl sticky
>> bind http www1 http www2 http
>> bind ssl www1 ssl www2 ssl
>> !
>>
>> Mischa
>>
>>> server real bla 1.2.3.4
>>> port http
>>> port http keepalive
>>> port 180
>>> !
>>> server real bla2 1.2.3.5
>>> port http
>>> port http keepalive
>>> port 180
>>>
>>> server virtual blaat 1.2.3.6
>>> port default disable
>>> port ssl sticky
>>> port http sticky
>>> bind ssl bla http bla2 http
>>> bind http bla 180 real-port http bla2 180 real-port http
>>>
>>> That should do it
>>> ROnald
>>>
>>>
>>> Met vriendelijke groet, With kind regards,
>>>
>>> Ronald Esveld
>>> network engineer
>>>
>>> Qi ict
>>> Delftechpark 35-37
>>> Postbus 402, 2600 AK Delft
>>>
>>> T : +31 15 888 0 444
>>> F : +31 15 888 0 445
>>> E : mailto:ronald.esveld at qi.nl
>>> I : http://www.qi.nl/
>>>
>>> Qi ict evenementen:
>>> Qi ict op de
>> http://www.qi.nl/cms/publish/content/showpage.asp?pageid=431
>>>
>>> -----Oorspronkelijk bericht-----
>>> Van: foundry-nsp-bounces at puck.nether.net
>>> [mailto:foundry-nsp-bounces at puck.nether.net] Namens Anil
>>> Verzonden: woensdag 19 november 2008 16:46
>>> Aan: foundry-nsp at puck.nether.net
>>> Onderwerp: [f-nsp] http -> https redirect
>>>
>>> Sorry, for the newbie question. I am not a network engineer, just
>>> supporting something someone else maintains...
>>>
>>> SW: Version 09.5.02kTD2 Copyright (c) 1996-2003 Foundry Networks,
>>> Inc.
>>>     Compiled on Apr 22 2008 at 17:14:32 labeled as WXM09502k
>>>     (4107327 bytes) from Primary WXM09502k.bin
>>> HW: ServerIronGT C-Series Switch, SYSIF version 21, Serial #:
>>> Non-exist
>>>
>>>
>>> Is it possible to setup a HTTP -> HTTPS redirect on the LB? I have a
>>> virtual server set as this:
>>>
>>>
>>> Virtual server: host1              Status: enabled  IP: 2.3.4.5
>>>       http -------> fe-sf1-01: 1.2.3.4,  http (Active)
>>>                     fe-sf1-02: 1.2.3.5,  http (Active)
>>>        ssl -------> fe-sf1-01: 1.2.3.4,  ssl (Active)
>>>                     fe-sf1-02: 1.2.3.5,  ssl (Active)
>>>
>>> Thanks,
>>> Anil
>>> _______________________________________________
>>> foundry-nsp mailing list
>>> foundry-nsp at puck.nether.net
>>> http://puck.nether.net/mailman/listinfo/foundry-nsp
>>> _______________________________________________
>>> foundry-nsp mailing list
>>> foundry-nsp at puck.nether.net
>>> http://puck.nether.net/mailman/listinfo/foundry-nsp
>>
>>
> _______________________________________________
> foundry-nsp mailing list
> foundry-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/foundry-nsp

More information about the foundry-nsp mailing list