ACE 4710 - 'reverse proxy' infront of serverfarm - fail-over/sorry server design issue

Similar Messages

• ACE 4710, reverse proxy?

  Hello All,
  Please forgive my ignorance but can the ACE appliance behave as a reverse proxy for http and ssl traffic? I would assume it can given how it does SLB but SLB is not a requirement at this time. Thanks for your input.

  Hi Mate,
  The reverse proxy servers can perform many tasks, like:
  Note: this info from Wikipedia: http://en.wikipedia.org/wiki/Reverse_proxy
  Reverse proxies can hide the existence and characteristics of the origin server(s), The ACE will do that.
  Application firewall features can protect against common web-based attacks. Without a reverse proxy, removing malware or initiating takedowns, for example, can become difficult, The ACE has some built-in security features, you can refer to this document for full detail:
  http://www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_2_7/configuration/security/guide/securgd.html
  In the case of secure websites, the SSL encryption is sometimes not performed by the web server itself, but is instead offloaded to a reverse proxy that may be equipped with SSL acceleration hardware. The ACE can do this:
  http://www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_2_7/configuration/ssl/guide/sslgd.html
  A reverse proxy can distribute the load from incoming requests to several servers, with each server serving its own application area. In the case of reverse proxying in the neighborhood of web servers, the reverse proxy may have to rewrite the URL in each incoming request in order to match the relevant internal location of the requested resource. The ACE can do that perfectly.
  A reverse proxy can reduce load on its origin servers by caching static content, as well as dynamic content. Proxy caches of this sort can often satisfy a considerable amount of website requests, greatly reducing the load on the origin server(s). Another term for this is web accelerator. A reverse proxy can optimize content by compressing it in order to speed up loading times. Please check this link for more detail about ACE Application Acceleration and Optimization:
  http://www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_2_7/configuration/app_acc_and_opt/guide/appaccoptgd.html
  Best regards,
  Ahmad

• ACE behind Reverse Proxy - performance issue

  Hi,
    I've got a config working to accommodate the required use of reverse proxy servers infront of my application servers.  Traffic comes into the Front ACE and I insert a header "SRCIP" with the original client IP address which is preserved through the Rev Proxy servers and is then inspected on the Back ACE to create a sticky to a given application server/SRCIP pairing.  The use of the RP's appears to require using the persistence-rebalance option otherwise the traffic get stuck to the wrong app server.  The app functions perfectly with this config; however, there is a severe performance impact.  Using load-runner, we see response times go from 1.5 seconds to 16 seconds for the same transactions comparing this config to a previous config which used static sticky to bind the RP to the app servers..
  Question:  Is there a better way to do this and remain dynamic, or some way to optimize this approach to reduce the performance impact.
  Relevant Config for both ACE's here:
  !!Front ACE
  parameter-map type http HTTP_REBAL
    persistence-rebalance
    length-exceed continue
  sticky ip-netmask 255.255.255.255 address source ALPHA-SRCIP-sticky
    timeout 60
    replicate sticky
    serverfarm ALPHA
  policy-map type loadbalance first-match vip-R1A-ALPHA
    class class-default
      sticky-serverfarm ALPHA-SRCIP-sticky
      insert-http SRCIP header-value "%is"
  policy-map multi-match PREP-VIP
    class VIP-ALPHA-R1A
      loadbalance vip inservice
      loadbalance policy vip-R1A-ALPHA
      appl-parameter http advanced-options HTTP_REBAL
      ssl-proxy server SSL_ALPHA_R1A
  !!Back ACE
  parameter-map type http HTTP_REBAL
    persistence-rebalance
    length-exceed continue
  sticky http-header SRCIP ALPHA-SRCIP-sticky
    timeout 60
    replicate sticky
    serverfarm coresoms-ALPHAfarm
  class-map type http loadbalance match-all SRCIP-MAP
    2 match http header SRCIP header-value ".*"
  policy-map type loadbalance first-match vip-lb-ALPHA
    class SRCIP-MAP
      sticky-serverfarm ALPHA-SRCIP-sticky
  policy-map multi-match lb-vip
    class VIP-ALPHA
      loadbalance vip inservice
      loadbalance policy vip-lb-ALPHA
      appl-parameter http advanced-options HTTP_REBAL

  Hi Joseph,
  To achieve this you need to do stickiness based on some L7 parameter (either the header you are currently using or some cookie), so, whatever you do you will have to use persistence rebalance.
  I have one possible theory for your issue.
  The ACE has two different ways of treating the L7 connections internally, that we call "proxied" and "unproxied". In essence, the proxied mode means that the traffic will be processed by one of the CPU (normally to inspect/modify the L7 data), while, on the unproxied mode, the ACE sets up a hardware shortcut that allows forwarding traffic without the need to do any processing on it.
  For a L7 connection, the ACE will proxy it at the beginning, and, once all the L7 processing has been done it will unproxy the connection to save resources. Before it goes ahead with the unproxying, it needs to see the ACK for the last L7 data sent. This wait, on a Internet environment can introduce around 100-200ms of delay for each HTTP request, which can end up adding into a very big delay. By default, if the ACE sees that the RTT to the client is more than 200ms, the connection will never be unproxied to avoid these delays, so I think we could fix your issue by tweaking this threshold.
  From what you described, I asssume you don't have many connections (because they all come through a proxy) and that the connections will have a lot of HTTP requests inside. With that in mind, I would suggest setting the threshold to 0 to ensure to keep connections always proxied. To do this, you would nee to configure a parameter map like the one below and add it to your VIP
      parameter-map type connection
        set tcp wan-optimization rtt 0
  Even though this setting may avoid your issue, it also has some drawbacks. The main one is that the ACE20 only supports up to 512K simultaneous L7 connections in proxied state (which includes also the connections towards the servers, so, it would be 250K for client connections), so, if the amount of simultaneous connections reaches that limit, new connections would be dropped. The second issue, although not so impacting, would be that the maximum number of connections per second supported would also go down slightly due to the increased processing needed.
  I hope this helps
  Daniel

• ACE SSL Reverse Proxy for multible URLs

  Hi,
  I am trying to setup an ACE as a reverse proxy (one-arm mode) for HTTPS connections for multiple URLs to multiple serverfarms. From what i know i have two options:
  1. Use different VIP for each URL and do
  L4 loadbalancing or use a
  combination of IP address and port.
  2. Use different VIP for each URL, do
  SSL offloading and do L7 URL based
  loadbalancing.
  So with these options i am bind to use different IPs for each site. Is there a way i can use one VIP and then offload SSL and do URL based loadbalancing? From my knowledge we are restricted by the nature of the SSL. The reason is that the SSL protocol is a separate layer which encapsulates the HTTP protocol. So the problem is that the SSL session is a separate transaction that takes place before the HTTP session even starts so there is no visibility of the HTTP header.
  Any comments appreciated
  George Georgiou

  Geroge,
  your understanding is absolutely correct.
  We need to know the site in order to decrypt te traffic because the certificate is associated to a domain name.
  But without decrypting, we can't see the domain name.
  So, the only way to know the domain without decrypting is to allocate a single ip to each domain.
  There is no other solution.
  Gilles.

• Can the 4710 reverse proxy like the Apache rerwite rule

  We currently have web servers configured with Apache that act as reverse proxies using an Apache rewrite rule. The end user connects to the Apache web server and it proxies that connection to the backend app server. Is the 4710 capable of acting as a reverse proxy like Apache which would eliminate the need for a web server?
  Thanks

  Hi,
  Although this is not the most common scenario it is doable. What you will need is to NAT the client source IP to the ACE VIP and send the request to the web server. If there is a web farm then you can use another context of ACE to loadbalance the request to the web farm.Actually i have setup ACE as a reverse proxy in replacement of an ISA server by using the one-arm mode for the implementation. Beware though that you will need to use Policy Based Routing or NAT so as for the return traffic to go though ACE. Also you will need to insert the client IP in the x-forwarded-for HTTP header for proper analysis (as you would do with Apache).
  See below link for routed mode (it is for the c6500 / ACE module but same applies for the ACE 4710 appliance
  http://supportwiki.cisco.com/ViewWiki/index.php/Configure_ACE_with_Source_NAT_and_Client_IP_Header_Insert
  Hope it helps,
  ./G

• ACE as Reverse Proxy

  Can ACE function as reverse proxy without the ACE Web application Firewall?

  Hi,
  If you configure source NAT on all of the client traffic, the ACE will act more or less like a reverse proxy requesting the data from the server using the configured NAT IP instead of the client original one.
  Just keep in mind that the ACE won't ever do any caching whatsoever so you can forget about it if this is what you are looking for.
  Regards,
  Nicolas

• ACE 4710 like Proxy Log?

  Hi guys!
  I have one question to the ACE.
  We using the ACE as Proxy.
  Can write the ACE a proxy log? (GET, Post requests)
  Like so
  192.168.0.1 - - [09/Oct/2010:02:12:40 +0200] "GET / HTTP/1.1" 302 304 "http://www.cisco.com" "Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.2.10) Gecko/20100914 AskTbCDS/3.9.0.12758 Firefox/3.6.10"
  192.168.0.1 - - [09/Oct/2010:06:17:14 +0200] "GET /oks/app HTTP/1.1" 200 3861 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)"
  192.168.0.1 - - [09/Oct/2010:06:17:15 +0200] "GET /css/default.css HTTP/1.1" 304 - "https://blablbla.at/oks/app" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C
  did anybody know that the ACE can do this.
  He can also forward the events to a sys Server. Is it posible?
  Thanks
  regards Markus

  Hi Markus,
  The short answer is no.
  This kind of logging you are looking for is more common in HTTP caching devices. However, the ACE will only proxy connections in order to get enough information to make a load-balancing decision.
  Regards
  Daniel

• ACE 4710: Find out the response time of a real server

  Hi to everyone,
  I have a couple of ACE 4710 and I need to find out what is the response time of a real server.
  Is there a way for this?
  Thank you for any answer!
    giorgio romano

  Hi,
  Kindly add the following line in your serverfarm configuration:
  predictor response syn-to-synack
  Suppose your serverfarm looks like this:
  serverfarm host AAA_FARM
  predictor response syn-to-synack
  probe HTTP_PROBE
  probe TCP9001_PROBE
  rserver SC106
  inservice
  rserver SC107
  inservice
  rserver SC108
  inservice
  rserver SC109
  inservice
  rserver SC110
  inservice
  rserver SC111
  inservice
  rserver SC112
  inservice
  rserver SC113
  inservice
  rserver SC114
  inservice
  rserver SC120
  inservice
  rserver SC131
  inservice
  And then use the following command to see the average response time from your rserver as follows:
  ACE1/prod# show serverfarm AAA_FARM detail
  serverfarm     : AAA_FARM, type: HOST
  total rservers : 11
  active rservers: 11
  description    : ServerFarm AAA
  state          : ACTIVE
  predictor      : RESPONSE
  method            : syn-to-synack
  samples           : 8
  failaction     : -
  back-inservice    : 0
  partial-threshold : 0
  num times failover       : 0
  num times back inservice : 0
  total conn-dropcount : 0
  Probe(s) :
  HTTP_PROBE,  type = HTTP
  TCP9001_PROBE,  type = TCP
  ----------connections-----------
  real                  weight state        current    total      failures
  ---+---------------------+------+------------+----------+----------+---------
  rserver: SC106
  x.x.x.x.:0        8      OPERATIONAL  2          1125       0
  max-conns            : 4000000   , out-of-rotation count : 0
  min-conns            : 4000000
  conn-rate-limit      : -         , out-of-rotation count : -
  bandwidth-rate-limit : -         , out-of-rotation count : -
  retcode out-of-rotation count : -
  load value           : 0
  average response time (usecs) : 81   ----> thats what you might be looking for
  From other day :
  rserver: SC114
  x.x.x.x:0        8      OPERATIONAL  70         10903      2
  max-conns            : 4000000   , out-of-rotation count : 0
  min-conns            : 4000000
  conn-rate-limit      : -         , out-of-rotation count : -
  bandwidth-rate-limit : -         , out-of-rotation count : -
  retcode out-of-rotation count : -
  load value           : 0
           average response time (usecs) : 1334                       ----> thats what you might be looking for
  For Serverfarm BBB_FARM
  serverfarm     : BBB_FARM, type: HOST
  total rservers : 1
  active rservers: 1
  description    : ServerFarm BBB
  state          : ACTIVE
  predictor      : RESPONSE
  method            : syn-to-synack
  samples           : 8
  failaction     : -
  back-inservice    : 0
  partial-threshold : 0
  num times failover       : 1
  num times back inservice : 1
  total conn-dropcount : 0
  Probe(s) :
  ----------connections-----------
  real                  weight state        current    total      failures
  ---+---------------------+------+------------+----------+----------+---------
  rserver: SC208
  x.x.x.x:0        8      OPERATIONAL  0          0          0
  max-conns            : 4000000   , out-of-rotation count : 0
  min-conns            : 4000000
  conn-rate-limit      : -         , out-of-rotation count : -
  bandwidth-rate-limit : -         , out-of-rotation count : -
  retcode out-of-rotation count : -
  load value           : 0
           average response time (usecs) : 0   ----> thats what you might be looking for
  Use more detials for response predictor:
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/rsfarms.html#wp1068831
  Configuring the Application Response Predictor
  To instruct the ACE to select the server with the lowest average response time for the specified response-time measurement based on the current connection count and server weight (if configured), use the predictor response command in server farm host or redirect configuration mode. This predictor is considered adaptive because the ACE continuously provides feedback to the load-balancing algorithm based on the behavior of the real server.
  To select the appropriate server, the ACE measures the absolute response time for each server in the server farm and averages the result over a specified number of samples (if configured). With the default weight connection option configured, the ACE also takes into account the server's average response time and current connection count. This calculation results in a connection distribution that is proportional to the average response time of the server.
  The syntax of this command is as follows:
  predictor response {app-req-to-resp | syn-to-close | syn-to-synack}[samples number]
  The keywords and arguments are as follows:
  •app-request-to-resp—Measures the response time from when the ACE sends an HTTP request to a server to the time that the ACE receives a response from the server for that request.
  •syn-to-close—Measures the response time from when the ACE sends a TCP SYN to a server to the time that the ACE receives a CLOSE from the server.
  •syn-to-synack—Measures the response time from when the ACE sends a TCP SYN to a server to the time that the ACE receives the SYN-ACK from the server.
  •samples number—(Optional) Specifies the number of samples over which you want to average the results of the response time measurement. Enter an integer from 1 to 16 in powers of 2. Valid values are 1, 2, 4, 8, and 16. The default is 8.
  For example, to configure the response predictor to load balance a request based on the response time from when the ACE sends an HTTP request to a server to when the ACE receives a response back from the server and average the results over four samples, enter:
  host1/Admin(config)# serverfarm SFARM1
  host1/Admin(config-sfarm-host)# predictor response app-req-to-resp
  samples 4
  To reset the predictor method to the default of round-robin, enter:
  host1/Admin(config-sfarm-host)# no predictor
  To configure an additional parameter to take into account the current connection count of the servers in a server farm, use the weight connection command in server farm host predictor configuration mode. By default, this command is enabled. The syntax of this command is as follows:
  weight connection
  For example, enter:
  host1/Admin(config)# serverfarm SF1
  host1/Admin(config-sfarm-host)# predictor response app-request-to-resp
  samples 4
  host1/Admin(config-sfarm-host-predictor)# weight connection
  To remove the current connection count from the calculation of the average server response time, enter:
  host1/Admin(config-sfarm-host-predictor)# no weight connection
  You can use threshold milliseconds parameter which is optional Specifies the required minimum average response time for a server. If the server response time is greater than the specified threshold value, the ACE removes the server from the load-balancing decision process (takes the server out of service).
  Enter an integer from 1 to 300000 milliseconds (5 minutes). The default is no threshold (servers are not taken out of service).
  In case if you have measures the response time from  when the ACE sends a TCP SYN to a server to the time that the ACE receives a CLOSE from the server  use syn-to-close      (already discussed previously)
  If you have to measures the response time from when the ACE sends a TCP SYN to a server to the time that the ACE receives the SYN-ACK from the server use syn-to-synack   (already discussed previously)
  SAMPLES parameter is optional and  specifies the number of samples that you want to average from the results of the response time measurement and response time is used to select the server with the lowest response time for the requested response-time measurement. If you do not specify a response-time measurement method, the ACE uses the HTTP app-req-to-response method.
  Whenever a server's load reaches zero, by default, the ACE uses the autoadjust feature to assign a maximum load value of 16000 to that server to prevent it from being flooded with new incoming connections. The ACE periodically adjusts this load value based on feedback from the server's SNMP probe and other configured options.
  Using the least-loaded predictor with the configured server weight and the current connection count option enabled, the ACE calculates the final load of a real server as follows:
  final load = weighted load × static weight × current connection count
  where:
  •weighted load is the load reported by the SNMP probe
  •static weight is the configured weight of the real server
  •current connection count is the total number of active connections to the real server
  The ACE recalculates the final load whenever the connection count changes, provided that the (config-sfarm-host-predictor) weight connection command is configured. If the (config-sfarm-host-predictor) weight connection command is not configured, the ACE updates the final load when the next load update arrives from the SNMP probe.
  If two servers have the same lowest load (either zero or nonzero), the ACE load balances the connections between the two servers in a round-robin manner.
  HTH
  Plz rate if u find it useful.
  Sachin

• ACE 4710 - can I dynamically sticky all traffic to 1 server based on URL?

  Hello all, I'm new to the ACE 4710 and need to know some details about stickyness.
  As background, we are a small company with a SaaS product and a pair of webservers.
  I have set up the loadbalancing default L7 Load-balancing rule to sticky based on a Cookie based Stickey Group.
  That seems to be working and session traffic is sticking to a server during the user's session.
  Based on a request from our outsourced developer they would like the Loadbalancer to not only sticky the users sessions, but also sticky a url to a server.
  I would like this to happen dynamically as each of our clients will have their own url based on our standard domain like clientname.fixeddomain.com and I don't want to have to come back to the loadbalancer every time we add a client.
  As I said, I'm new to these devices but understand the concepts, and am in the position of having to make it work little to no tranining on this hardware and no budget at this point to pay someone else for configuration and setup.
  I just need to know at this point if I can stick all requests for a specific URL to a server to avoid caching issue while those sessions are active and have new connections to other client urls balanced among the webservers.
  Hopefully this request makes sense.
  Thanks,
  Mark Steeves.

  Daniel,
  Thanks for the reply, but I cannot reach the URL you included.  It gives me a 403.
  Therfore without reading the article, I wanted to ask if the proper setup would be:
  1. Default L7 load-balancing action: Primary action: Sticky: Stickey Group using
  Type = HTTP Header: Header name = Host
  2. Server Farm: Predictor: Least Connections or Round Robin to distribute the load between the 2 web servers.
  Using this setting in testing, it looks like all the traffic keeps going to 1 server only.  Granted there is not much traffic t the servers, but I have 2 different url being tested. url1.ourdomain.com & url2.ourdomain.com
  If you have another link for the above document, please let me know.
  Thanks,
  Mark Steeves.

• Https serverfarm with http sorry server

  Hello all,
    I am having difficulty configuring a sorry server for an existing https serverfarm.  The sorry (backup) server is failing all connections and I think it's because I can not determine a way to differentiate ssl connections for the production serverfarm and non-ssl connections for the sorry server.  Here is the load balance policy:
    policy-map type loadbalance http first-match WWW-HTTPS-LBP
    class class-default
      serverfarm WWW-HTTPS backup WWW-OUTAGE
      action https-rewrite
      ssl-proxy client CLIENT-SSL-PROXY
    The WWW-HTTPS serverfarm is comprised of HTTPS real servers, hence the necessity of the ssl-proxy client; however, when the WWW-HTTPS serverfarm is offline, the ssl-proxy can't connect to the WWW-OUTAGE serverfarm as the real server in that farm is HTTP only.
    Has anyone run into this scenario before?

  The ssl-proxy client forces the connection on the backend (to the real server to be https).
  You should instead create a redirect serverfarm and use it to redirect the user to an http vserver where you can use your http serverfarm without the ssl-proxy client.
  Gilles.

• Which role do I need DFS or File server on fail over cluster server 2012 R2?

  what I want to achieve is that I want to share all my user data files in a central location and to be highly available all the time whether it's a general share or folder redirection data. BUT I'm a bit confused;  I have fail over cluster  set-up
  on server 2012, now I would like to add DFS as a role but than we have another role called File server and virtually it does the same thing as DFS? Means it creates a namespace share that can be access even one of the nodes goes down. Now I am thinking is
  that DFS does the replication between two physical location but fail over cluster works slightly differently  and with file server it pretty much does the same thing except for replicating data from one drive to another. Now what do you suggest I do or
  did I get the concept wrong like a noob?

  DFS and Failover Clustering for file shares provides a similar end result for file access, but they are significantly different implementations.
  Clustering provides high availability to files by presenting shared access to set a files served from a cluster.  With 2012 R2 Microsoft added the ability to create a Scale-out File Server that even allows all nodes of the cluster to server access to
  the files for a higher level of performance and other great things.  Bottom line with Failover Clusters for files is that there is a single copy of the file presented from the cluster.
  DFS on the other hand provides high availability to files by presenting multiple copies of the file by making a copy in two or more locations and presenting a naming space that allows access to the file through any of the network paths.  DFS works very
  well for files that are primarily read-only.  When you get into a situation where there is a lot of updating of the shared files, DFS is not a very good solution.  There are ways to implement DFS for read/write files, but it generally requires a
  good knowledge of how the files are used and how you want to manage them.
  The key to answering your question comes in your first sentence "I want to share all my user data files in a central location and to be highly available all the time".  My initial reaction to this is that central location means Failover Cluster
  - there is only a single copy of the file.  However, "all the time" can be compromised by network failures to the central site.  Remote sites would not have access if they can't access the central site.  DFS provides the ability to
  have copies remotely, but then if you allow updating at multiple sites, you have to manage the merging of the changes, among other things.
  . : | : . : | : . tim

• Ace 4710 SSL Proxy TLS (Beast) Mitigation

  Has anyone heard if there is an upgrade path to mitigate this recent tls1.0 and sslv3 exploit?
  Thanks
  Darren
  Sent from Cisco Technical Support iPad App

  Hi Darren,
  I haven't seen any official cisco comment about this yet.
  Also our customers are asking for updates on this security advisory....
  Edwin

• ITS through Reverse Proxy : Only POST method  doesn't work

  Hi all,
  We are using an Apache Reverse Proxy infront of our Portal and ITS Server
  and using https.
  Reverse Proxy : 443 > ITS:8443
  We have rewrite rules for /sap and /scripts (ITS) /irj (portal) in the
  Reverse Proxy .
  We have set the following variables through the wgate-config URL of the
  ITS server (SetHeader) :
  HTTPS on
  HTTP_HOST proxy_server:443
  All ITS Iviews that use GET mehod display correctly .
  However all ITS Iviews that use POST create an Apache Proxy Error.
  We believe this is due to HTTP_CONTENT_LENGTH not being set in the ITS .
  Do we set this value the same way?
  Are there any other ITS settings that would cause this error for POSTS in
  a Reverse Proxy ?
  Regards
  Daniel

  There is a way around this (thanks to apple for responding to my bug submission) but it's slow. Test to see if the glyphCode created is greater than zero or not:
  final FontRenderContext fontRenderContext = new FontRenderContext(null, false, false);
  char[] array = new char[1];
  array[0] = (char) intvalueofchar;
  GlyphVector glyphVector = glyphFont.createGlyphVector(fontRenderContext, array);
  int glyphCode = glyphVector.getGlyphCode(0);
  boolean validchar = (glyphCode > 0);I only need to do this on the mac; on windows it does the right thing without this. If anyone has any suggestions for speeding it up (I already have it running in a thread), that'd be great - but thought I'd post it here for anyone else who might run into the same problem some day.

• Reverse proxy retrieve failed

  Hi,
  We are using Iplanet 4.1 as a basic web server and Netscape 3.5 proxy server to reverse proxy content from a CERN web server. Both Platforms are SPARC running Solaris 2.7. The reverse proxy works well except when reverse proxying dynamic content i.e. the CERN server provides graphs on demand and therefore can take upto 60 seconds to create, however the reverse proxy server seems to timeout after about 12 seconds.
  Error in proxy logs:
  retrieve-exit-routine reports:proxy retrieve failed:Document contains no data
  Any ideas or experiences ? Cheers

  Hi All,
  Just found the answer to this - my Apache configuration was missing a very simple command (everything is simple once you find the answer )
  On my reverse proxy configuration I forgot the following:
  ProxyPerserveHost On
  Hope that helps somebody out,
  Brenton.

• ACE 4710 balance among URL

  I have ACE 4710 and I need configuration:
  I have real web-server with  folders : /1/index.html, /2/index.html, /3/index.html
  I need to  balance virtual service:
  If I try to connect URL: http://server/index.html,  then ACE balance among
  http://real_server/1/index.html,
  http://real_server/2/index.html,
  http://real_server/3/index.htm
  How can I  configure ACE ?

  ACE, can't modify the url.
  But it can send redirect.
  So you could build 3 redirect rservers, and have ACE loadbalance between them.
  rserver redirect HTTP-REDIRECT1
    webhost-redirection http://real_server/1/index.html
    inservice
  rserver redirect HTTP-REDIRECT2
     webhost-redirection http://real_server/2/index.html
     inservice
  rserver redirect HTTP-REDIRECT3
     webhost-redirection http://real_server/3/index.html
     inservice
  serverfarm redirect SF_REDIRECT
    rserver HTTP-REDIRECT1
      inservice
    rserver HTTP-REDIRECT2
      inservice
    rserver HTTP-REDIRECT3
      inservice
  But even if it works, this does not sound good.
  It seems like a design done by an application server person who does not know how network loadbalancers work.
  It seems like all you need is stickyness, which you are trying to achieve by redirecting to /1 or /2 or /3.
  But this can be done differently with cookies or by just doing stickyness on source ip address.
  Gilles.