ACE http header response

Similar Messages

• How to add HTTP Header Response X-Frame-Options:SAMEORIGIN from OWA published via Forefront TMG 2010 to stop Clickjacking

  How to add HTTP Header Response X-Frame-Options:SAMEORIGIN from OWA published via Forefront TMG 2010 to stop Clickjacking. I have put the IIS setting X-Frame-Options:SAMEORIGIN  on my Internal CAS Server. However as the OWA page is published through
  Forefront TMG 2010, the iFrame tag is not blocked when the page is first opened. Only when you login with your credentials to the OWA page inside the frame and the page reaches IIS on the Internal CAS it gets blocked. I want to block it in the first
  instance when it is opened from TMG.

  Hi,
  Thank you for the post.
  To modify the http header, please refer to this blog:
  http://tmgblog.richardhicks.com/2009/03/27/using-the-isa-http-filter-to-modify-via-headers-and-prevent-information-disclosure/
  Regards,
  Nick Gu - MSFT

• ACE http header rewrite

  hi
  is there any chance to change my requeste on ace like this?
  the request is http://www.xpto.com and i need to be rewrite to http://xpto.com
  thanks in advance
  Antero

  Hi Antero,
  Yes, this is possible. Just check the link below for more details
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/slb/guide/classlb.html#wp1151822
  Assuming "http://www.xpto.com" is the only request you want to rewrite, the syntax of the action would be "header rewrite request Host header-value www.xpto.com replace xpto.com"
  If, however, you need to create this action in a more generic way so that any URL is rewritten in the same format, you would need to use a regular expression. In this case, it would be something similar to the following (I didn't test it, so I'm not 100% sure that the regex is correct) "header rewrite request Host header-value www\.(.*)\.com replace %1.com"
  I hope this helps
  Daniel

• ACE HTTP Header Port Rewrite

  What is the syntax for rewriting the destination port for a HTTP request?
  For Example: Rewriting "http://www.test123.com" TO "http://www.test123.com:81"
  Thanks!

  Hi,
  The simple solution is to specify port at rserver level to the desired port. In your case it should be like this :
  host1/Admin(config-sfarm-host)# rserver SERVER1 81
  this is from the documentation which explain the same:
  Associating a Real Server with a Server Farm
  You can associate one or more real servers with a server farm and enter real-server server-farm configuration mode by using the rserver command in either server farm host or server farm redirect  configuration mode. The real server must already exist. For information  about configuring a real server, see the "Configuring Real Servers" section. You can configure a maximum of 16,384 real servers in a server farm. The syntax of this command is as follows:
  rserver name [port]
  The arguments are as follows:
  •name—Unique  identifier of an existing real server. Enter an unquoted text string  with no spaces and a maximum of 64 alphanumeric characters.
  •port—(Optional) Port number used for the real server port address translation (PAT). Enter an integer from 1 to 65535.
  If you choose not to assign a port number for the real server  association with the server farm, the default behavior by the ACE is to  automatically assign the same destination port that was used by the  inbound connection to the outbound server connection. For example, if  the incoming connection to the ACE is a secure client HTTPS connection,  the connection is typically made on port 443. If you do not assign a  port number to the real server, the ACE will automatically use port 443  to connect to the server, which results in the ACE making a clear-text  HTTP connection over port 443. In this case, you would typically define  an outbound destination port of 80, 81, or 8080 for the backend server  connection.
  For example, to identify real server SERVER1 and specify port 80 for the outgoing connection, enter:
  host1/Admin(config-sfarm-host)# rserver SERVER1 80
  host1/Admin(config-sfarm-host-rs)#
  Hope that helps.
  regards,
  Ajay Kumar

• Ace http response code seeing 500, but server returning 200

  we have an http probe configure like below,the real is failing probe, and the ace says it's returning a 500 response code,however when i browse to  the server from my laptop, i get a 200, and the correct regex ( going to http://172.19.254.51/operation.aspx) . Is it possible the server could send a different response code to ace?
  probe http HTTP
    interval 5
    passdetect interval 5
    receive 3
    request method get url /operation.aspx
    expect status 200 200
    open 2
    expect regex "operation"
  serverfarm host AMS_AI
    probe HTTP
    rserver server1
      inservice
    rserver server2
      inservice
    rserver server3
      inservice
  show probe HTTP detail
       real      : server3I[0]
                         172.19.254.51   1925172    24779      1900393    FAILED 
     Socket state        : CLOSED
     No. Passed states   : 5646         No. Failed states : 5646
     No. Probes skipped  : 0         Last status code  : 500
     No. Out of Sockets  : 0         No. Internal error: 0
     Last disconnect err : Received invalid status code
     Last probe time     : Wed Feb 23 10:53:21 2011
     Last fail time      : Wed Feb 23 09:21:29 2011
     Last active time    : Wed Feb 23 03:51:41 2011

  you will probably have to configure the HTTP header of the probe you send. Maybe the web server
  is expecting specific fields (virtual hosts ?)

• ACE: wrong IP in HTTP header HEALTHCHECK packet

  Hi,
  I encounter a strange problem with ACE when the blade performs a HTTP healthcheck towards a RSERVER.
  Sometimes, ACE insert in the HTTP header a strange IP address, others then the IP address of the rserver, for which it performs a healthcheck.
  Anyone encountered the same problem?
  Thx, Wim

  Hi Gillis,
  I reported this issue to our integrator. I think they will open a cisco case right now.
  We are able to reproduce this problem. So, that might not be the problem to troubleshoot at this moment.
  For your information, we had version A1.6 running until last week. Now, we upgraded to A2, but the healthcheck issue is still present.
  I assume you 'll informed via the support case?

• Load Balancing with ACE using HTTP Header information

  Hello,
  I am trying to setup a class-map using http loadbalance match-all.
  What I want to do is check for the HTTP Host and if it doesnot match the http referer than go to server farm A. if it does match then go to server farm B.
  My problem is the host can be serveral different values as well as the referer. Can you setup varibales in the ACE so I can store the value from http host and compare it against http referer?
  Thanks
  Mike C.

  It should be like this (If you want to use separate class maps for referrer & Host).
  class-map type http loadbalance match-any site1-HostHDR
  2 match http header Host header-value ".*site1.com"
  class-map type http loadbalance match-any site1-Referer
  2 match http header Referer header-value "http://site1.*"
  class-map type http loadbalance match-any site2-HostHDR
  2 match http header Host header-value ".*site2.com"
  class-map type http loadbalance match-any site2-Referer
  2 match http header Referer header-value "http://site2.*"
  class-map type http loadbalance match-all Site1-policy
  2 match class-map site1-HostHDR
  3 match class-map site1-Referer
  class-map type http loadbalance match-all Site2-policy
  2 match class-map site2-HostHDR
  3 match class-map site2-Referer
  policy-map type loadbalance http first-match Site1
  class Site1-policy
  serverfarm SFarm-A
  class Site2-policy
  serverfarm SFarm-A
  class class-default
  serverfarm SFARm-B
  Syed Iftekhar Ahmed

• REG : HTTP header fields (Synchronous response)

  Hi All,
           Can anyone please explain the advantage of using this function in the receiver HTTP adapter( ie
  "Set adapter specific message attribute -> HTTP header fields (Synchronous response)")
  and how this can be implemented?
  Thanks in Adavnce,
  Siva

  >
  sivarama krishna wrote:
  > Hi All,
  >
  >          Can anyone please explain the advantage of using this function in the receiver HTTP adapter( ie
  > "Set adapter specific message attribute -> HTTP header fields (Synchronous response)")
  >  and how this can be implemented?
  >
  >
  >
  > Thanks in Adavnce,
  > Siva
  from help:
  If you want to save HTTP header fields from the synchronous response in the XI message header, choose HTTP Header Fields (Synchronous Response) and enter the fields in the fields Field 1 to Field 6.
  The fields must have the same names as the fields that are also to be sent in the HTTP response.
  The technical names of the fields are HeaderFieldOne,...,HeaderFieldSix.
  this means that in case you look to access the header of the response message of a sync http you can use this ASMA.
  the implementation will be in your response mapping, using dynamic configuration - /people/shabarish.vijayakumar/blog/2009/03/26/dynamic-configuration-vs-variable-substitution--the-ultimate-battle-for-the-file-name

• ACE Module - HTTP 503 Response

  Hello,
  Is it possible for Cisco ACE Module to return HTTP 503 to the user making a web (HTTP) request.
  Does ACE have any built-in HTTP error response feature.
  Thanks.

  The ACE module can't generate web page.
  You should have a server ready to send this page and you can configure ACE to redirect users to that server when required.
  Gilles

• ACE One-Arm Source-NAT HTTP Header Insert

  Hellow ACE Gurus,
  This is probably a dumb question but I'm looking for info on HTTP Header Insert for SSL sessions.  Does the HTTP header re-write action list work for SSL traffic?  I guess I'm not clear on whether or not the header is encrypted and if the ACE can modify on an HTTPS session.  Any input would be greatly appreciated.
  /r
  Rob

  Hi Rob,
  When using HTTPS, all the data is encrypted, including the HTTP headers.
  In such a situation, if you want to insert headers (or do any other kind of L7 processing), you will have to configure the ACE to do SSL termination. Once the connection is decrypted, the ACE can do any processing it needs before sending the connection towards the server either in clear text or again using HTTPS.
  I would recommend you to have a look at the link below. This is an example of how to configure an ACE for end-to-end SSL (so, HTTPS on both sides of the ACE). In the example, the only L7 processing that is being done is matching on the URL, but it would be enough to replace that part with whatever header insertion commands you need
  http://www.cisco.com/en/US/partner/products/hw/modules/ps2706/products_configuration_example09186a00809c6f37.shtml
  If you still need more help to understand any of the points involved in the process, please, do not hesitate to contact me again.
  Regards
  Daniel

• Load Balance Reverse Poxy using ACE and HTTP Header Sticky

  Dear all,
  I have a reverse proxy that makes HTTP and HTTPS requests to an ACE.
  For implement persistence I want to configure HTTP HEADER Stickyness using the X-Forwarder-For information but I don't know:
  How to implement it ( I'l apreciate a little example about it).
  Which values I need for OFFSET and LENGHT fields.
  Can you help me please?
  Thanks a lot!!

  Hi Cesar.
  Thanks a lot for your answer but I think you misunderstand the question or I'm not explaninig very well
  I don't need to insert anything.
  The serverfarm X will be accesed by a reverse proxy. This reverse proxy already inserts the X-Forearder-From header, so the request from the reverse proxy comes with this header to the serverfarm X.
  The problem is that now, the serverfarm X sticky the client based on source IP. This is a wrong behavior becasue all the request comes form the same source (Reverse proxy) and all the load forwards to the same real IP address.
  This is because I want to change the sticky from source IP to HTTP header and looks for the X-Forwarder-For filed.
  Hop it will clarify the question!

• HTTP header insertion problem with ACE

  Hi
  I try to configure the HTTP header insertion feature based on the action-list type modify http. Unfortunately it does not works.
  The config looks like that
  action-list type modify http TEST
  header insert both Host header-value test:test.
  I added this action-list to the correct policy-map.
  When I checked the snifer output on the server side, there is no test value in the HTTP header.
  I test the same feature based on the "insert-http" command in the policy-map and this one works.
  Could anybody help me with this problem?
  Thank you in advance
  Regards
  Lucas

  Hi Lukas,
  Add a new parameter-map named PRMAP_PERST_REBLNC and add this to the policy map using command appl-parameter http advanced-options PRMAP_PERST_REBLNC as shown below:
  action-list type modify http test-insert
  header insert both My-Header header-value test
  header insert both SSL header-value TRUE
  policy-map type loadbalance http first-match HtppInsert
  class class-default
  serverfarm linux1-80
  action test-insert
  policy-map multi-match SLB1
  class VIP-122-80
  loadbalance vip inservice
  loadbalance policy HtppInsert
  loadbalance vip icmp-reply active
  loadbalance vip advertise active
  loadbalance vip advertise metric 1
  connection advanced-options SetTos
  appl-parameter http advanced-options PRMAP_PERST_REBLNC
  parameter-map type http PRMAP_PERST_REBLNC
  persistence-rebalance
  Hope this will make all the packets are inserted with the http header not the first one only.
  If it works then plz inform.
  Kind Regards.
  Sachin Garg

• ACE HTTP Probe with regex

  ACE HTTP Probe with regex
  Hi,
  I'm trying to setup a HTTP probe with expected string rather then a code (config below). I do a GET for the page then a search for a string in the response however it's not working, as probe appears as failed.
  I've tested the connection to the server by using telneting and then looking at the page displayed to make sure the string I want to match is in the response.
  probe http HTTP-PROBE
  port 43050
  interval 30
  passdetect interval 30
  passdetect count 1
  request method get url /action=help
  open 43050
  expect regex action=help
  Q. Is there anything wrong with this configuration and what I'm trying to achive?
  Thanks,
  Pritesh

  Use "expect status" under probe config. expect regex doesnt work if expect status is not configured.
  expect regex work flawlessly with static pages. It doesnt work all the time with dynamic pages.
  Specially if "content-length" header is missing from Server response.
  Hope it helps
  Syed Iftekhar Ahmed

• ACE HTTP probe hash md5 value

  Hi,
  We would like to see the hash value calculated by the ACE when the HTTP probe hash command configured.
  This is possible on CSS via the "sh service" command. We have tried to get it from sh rserver , sh probe XXX detail sh serverfarm XXX det but we do not get it.
  Is this possible to get it on the ACE as we do on the CSS?
  We need this to manually configure it via the hash <value> command because if the ACE probe is reseted for any reason, the probe http hash will be re-calculated based on the first http response of the server and we can not predict that the server will give the expected web page at this time.
  A // question is: on what the md5 value is calculated? HTTP header + payload or only http object payload? We have calculated the md5 hash value by ourselves but the probe is still failing whatever the http portion used for the calculation is.
  Many thanks for your help.
  Regards/ludovic.

  probe http MD5-HTTP
  interval 15
  passdetect interval 15
  request method get url /index.html
  expect status 200 200
  hash 2441DA7F68A265F8CFB4426B6897CE33
  And here is how I computed the hash on the server itself [linux machine]
  md5sum /var/www/HTML/index.html
  2441da7f68a265f8cfb4426b6897ce33 /var/www/HTML/index.html
  [root@linux-1 tftpboot]#
  The probe is UP
  switch/Admin# sho probe MD5-HTTP detail
  probe : MD5-HTTP
  type : HTTP
  state : ACTIVE
  description :
  port : 80 address : 0.0.0.0 addr type : -
  interval : 15 pass intvl : 15 pass count : 3
  fail count: 3 recv timeout: 10
  http method : GET
  http url : /index.html
  Hash-value : 2441da7f68a265f8cfb4426b6897ce33
  conn termination : GRACEFUL
  expect offset : 0 , open timeout : 10
  expect regex : -
  send data : -
  --------------------- probe results --------------------
  probe association probed-address probes failed passed health
  ------------------- ---------------+----------+----------+----------+-------
  serverfarm : linux1
  real : linux1[0]
  192.168.30.27 13 4 9 SUCCESS
  md5sum is a standard tool.
  Nothing fancy about it.
  Gilles.

• OIF11g - Help on sending user attributes in HTTP header

  Hello, I have a OIF11g setup configured for both IdP and SP. Upon successfull authentication against LDAP, I need to end some user attributes on the HTTP header to the SP application. I do no have OAM in my setup, so there is no option of Webgate or Policy Manager to do that. As far as I read the config doc, I'm in the impression that we need to write a custom authentication engine to accept user credentials and code to authenticate against LDAP and also add attributes to the response header.
  Before I go down that path, just wanted to confirm if anybody has done this with OIF?
  Thanks,
  Sunil.

  Bernhard:
  Actually the headers are not set to null. I have an intermediate index.jsp page which is the first page that is redirected to by the AM - it is this page which calls my LoginServlet.
  The value appears consistently on this index.jsp page but after it is forwarded to the LoginServlet it starts behaving inconsistently. I check the system.out log in my websphere /logs folder and that tells me that LoginServlet does not consistenly get these values from the header.
  The wierd part is that if I use cookies or attributes, it works perfectly - each time every time. However, only in the case of headers (which is the method i am required to do) it behaves inconsistently.
  ANY feedback/help on this would be really appreciated bern.. thanks..
  ~saahil