CSS Bypassing farm traffic based on matching HTTP header

Similar Messages

• Css stickiness based on the http header

  there is CSS 11503 that should load balances the traffic between 2 servers running IIS (http port 80). In front of load balancer there is a reverse proxy, that hides all real ip addresses of users that send requests to web-servers.
  The customer would like to have stickiness per user. The reverse proxy can add user real ip address to http header.
  What kind of load balancing mechanism is better to use  to fulfill customer requirements? HTTP load balancing? If "yes", are there standard field-types that is possible to use?

  You can't do sticky on http header in CSS , best solution is to insert a cookie for stickyness, individula clients will get a cookie and will stick based on cookie ppresented.
  see:
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.20/configuration/content_lb/guide/Sticky.html#wp1109390
  content testing
  vip address 192.168.128.131
  add service s1
  advanced-balance arrowpoint-cookie
  active

• Feature Request : provide a way to create access policies or identities with matching condition based on the HTTP header's "Referer" field

  Hello,
  I have a use-case I would like to share with you. When a customer configures its WSA with highly restrictive internet access like in the example below, it may trigger some issues :
  1- allow internet access only for URLs defined in whitelist.
  2- block ALL other requests.
  Let's take the following example :
  1- the customer only allow requests to www.siteA.com. siteA.com is the only URL included in its whitelist.
  2- www.siteA.com contains many embedded objects (such as facebook like tags, youtube videos, links to partners sites, ...)
  In this configuration, the end user will be allowed to reach siteA but the page will not be fully displayed. All the embedded objects not directly located on siteA will be missing.
  With WSA, the easiest way I can imagine to solve the issue is to list all the embedded objects present on siteA, get back their URL and also add these URLs to the whitelist. But this solution if of course far to be really convenient since it involves to know exactly how each HTTP page you want to consult is built.
  With other proxies, such as Bluecoat proxies or McAfee Web Gateway proxies for example, I used to solve this kind of issue by using the HTTP referer field (the URL you come from). For example with Bluecoat :
  <Proxy>
      ALLOW request.header.Referer.url.domain=//www.siteA.com/
  => All requested objects from siteA.com will be automatically allowed by the proxy, even if they are not part of my whitelist.
  - Do you have a better suggestion than the one I'm currently using with WSA (adding each sites in whitelist) ?
  - Would it be possible to add the field HTTP referer as a matching condition for Identities and access policies in your next release ?
  Thanks in advance
  Best regards

  As far as I'm aware this functionality is still not available... would be an awesome feature to have, but could also be abused at the same time by a user writing their own "middleware" proxy and setting the referrer header to that allowed site..  could be done in like ~15 lines of perl / python.
  Either way... would still be a cool feature to have.

• Load Balancing with ACE using HTTP Header information

  Hello,
  I am trying to setup a class-map using http loadbalance match-all.
  What I want to do is check for the HTTP Host and if it doesnot match the http referer than go to server farm A. if it does match then go to server farm B.
  My problem is the host can be serveral different values as well as the referer. Can you setup varibales in the ACE so I can store the value from http host and compare it against http referer?
  Thanks
  Mike C.

  It should be like this (If you want to use separate class maps for referrer & Host).
  class-map type http loadbalance match-any site1-HostHDR
  2 match http header Host header-value ".*site1.com"
  class-map type http loadbalance match-any site1-Referer
  2 match http header Referer header-value "http://site1.*"
  class-map type http loadbalance match-any site2-HostHDR
  2 match http header Host header-value ".*site2.com"
  class-map type http loadbalance match-any site2-Referer
  2 match http header Referer header-value "http://site2.*"
  class-map type http loadbalance match-all Site1-policy
  2 match class-map site1-HostHDR
  3 match class-map site1-Referer
  class-map type http loadbalance match-all Site2-policy
  2 match class-map site2-HostHDR
  3 match class-map site2-Referer
  policy-map type loadbalance http first-match Site1
  class Site1-policy
  serverfarm SFarm-A
  class Site2-policy
  serverfarm SFarm-A
  class class-default
  serverfarm SFARm-B
  Syed Iftekhar Ahmed

• Load balance traffic to a service based on a added field in the HTTP Header

  I am trying to use HTTP Header Load balancing but the field we want to use in order to load balance is "user-defined", example HTTP_TOTO = toto1.
  Do you have any idea on how I could perform this ?
  Thanks in advance

  Load balancing using pre-defined headers is supported. Not sure if load balancing using user defined fields is possible. You could refer to the following document.
  http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/css_710/bsccfggd/httphead.htm
  We would appreciate it if someone could share their experience if they know more about this.

• CSS SSL Proxy - how can I write the original source address in http header

  I'm replacing some BigIP's with CSS11500's that are configured to do front/backend ssl proxying in a one-armed configuration. The BigIP's write the original source IP address as a http header value when the traffic is sent to the application, and the application uses the IP to match against an application ACL. How can I do the same in the CSS.
  thanks,
  Brian

  here is what you can insert with the SSL module :
  http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_guide_chapter09186a0080292a76.html#wp1027619
  Gilles.

• Prioritize traffic based on destination IP?

  Hi all, we're looking to use an ASA5505 or 5510 as our firewall but want to see if one of them can help us prioritize traffic. I know it does QoS but we're wanting to dedicate x amount of our bandwidth to traffic based on destination IP address. Is that possible and does it take a license upgrade?
  Thanks!

  Jerry, i would try something like in the second config example I mentioned. keep in mind, if ISP doesn't support marking packets, it may be hard to QoS inbound. if you assign the VOIP traffic high priority, it should go out interface first during congestion. Don't need to dedicate a certain amount of bandwidth in any way. Make sure in the design to keep the VOIP traffic, VPN traffic and User PAT (outbound NAT) traffic on separate IP's. That will help when defining the access-lists. This QoS stuff is kind of tricky and is bit confusing. I have setup a few configs according to the above examples and they _seem_ to work. I ran a policing queue on the edge router for traffic leaving to ASA, and ran a priority queue on the ASA. When i test big download from a major site, which could consume all bandwidth, it doesn't appear to clobber VOIP traffic. The same results apply, when I test a big upload to internet. The QoS stuff is tricky though, and i _didn't_ see what I expected when i use the show QoS commands to see traffic drops, etc. so YMMV!
  Take a look at this link for ASA 7.X release, which may give you some ideas:
  "QoS based on ACL with VPN Configuration" You can change ACL to include the outside interface IP as long as you have separated the NAT's, VPN, etc. like i mentioend earlier.
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008080dfa7.shtml
  Will

• CSS 11503 Stickyness session based

  Need assistance comming up with a soulution for session based Stickyness.
  1.can this be based on the J-Session ID?
  2.Can the CSS send a cookie and the clients stick to the same servers until the session expires and the cookie os removed?
  3. Also can we set a timeout value for the cookie?

  If servers are setting the cookies then you need something like this
  Service webserver1
  ip address 10.10.10.1
  string server1 <-- server cookie value
  active
  Service webserver2
  ip address 10.10.10.2
  string server2 <-- server cookie value
  active
  Service webserver3
  ip address 10.10.10.3
  string server3 <-- server cookie value
  active
  content mycontent
  vip address 12.12.12.12
  add service webserver1
  add service webserver2
  add service webserver3
  string prefix "JSESSIONID="
  protocol tcp
  port 80
  url "/*"
  advanced-balance cookies
  sticky-inact-timeout 60 <-- Inactivity timeout value for cookie
  active
  The string prefix (that goes on the Content Rule) would need to match be the name of the
  cookie string prefix "JSessionID="
  Then the string on the services would need to match the value that is inserted on each
  server:
  Example:
  Service webserver1
  ip address 10.10.10.1
  string server1
  active
  Then the cookies injected from server1 would need to look like this:
  JSessionID=service1
  That is how the CSS would then identify which server the cookie belongs to and how to send
  it to it. If the JDSessionID values are random, then the CSS would not be able to match the values to a service.

• ACE match http url with post data

  I need to make a layer-7 load balancing decision at the ACE module based on a URL string that includes form POST data. It is important that the balancing decision include and parse the part of the URL after the question mark. This doesn't seem to work with the "match http url" config on the ACE. My interpretation is that the ACE does not consider the POST data to be part of the URL string, and therefore does not include it in the regular expression matching. Am I missing something here, or have I run into a limitation of the ACE module?
  class-map type http loadbalance match-any L7__URL_MATCH_CLASS
  2 match http url index.php\?field=content.*

  Hi
  The '?' has a special meaning in the URL. It means the end of the main URL and the beginning of the URL query.
  Its not possible to match ? in the url.
  One option could be using secondary cookie matching in ACE.
  class-map type http loadbalance match-any xyz
  2 match http cookie secondary field cookie-value content
  Thanks
  Syed

• Possible to Route Traffic Based on AVC?

  Is it possible to route traffic, based on the Application Visibility Control functions that specific Cisco routers are capable of?  Here's my issue:  I have two ISP's.  One is at about 120% utilization.  The other isn't doing anything.  I can specify ip routes based on IP addresses.  For instance, I can ip route 173.252.110.27 255.255.255.255 10.x.x.x to point to our ISP2 firewall, which is our non-utilized provider, for Facebook traffic.  The problem is that sites like this have massive public subnets, so I won't be able to capture all of the traffic destined to Facebook.  Is there a way to route traffic based on application?  I know that Palo Alto firewalls have a way to do Policy Based Forwarding, based on application.  I was wondering if the same was possible with AVC.  Thanks for any help.

  Hello.
  Yes, it's possible and, actually, you have 2 ways.
  1. use manual load-balanace between links.
  2. use PfR to load-balance traffic automatically.
  PS: you also will need NAT with route-map.

• Prioritise traffic based on IP subnet

  I'm currently using an Avaya IP Office VoIP solution and I want to introduce a Cisco 2600 to replace the WAN units. I've been told that I will need a QOS switch or have two Lan ports on the router to create two subnets (1 for Data & 1 for VoIP).
  If I decide to use 2 lan ports instead of installing a QOS switch can someone tell me if this solution is viable and if it is how would I proritise the traffic based upon the IP subnet.

  If you are going to place the phones on a single subnet and connect them to a dedicated router interface with no other devices (PCs, printers etc) you should get away without any QoS because all the data on that subnet will be voice bearer, voice signaling and network management with voice bearer being by far the majority of the traffic. Your greatest concern for voice quality should be aimed at the WAN link. You will need to ensure that you have QoS between sites and this will be dependent on the type of WAN link employed.

• Feature based geometric match stability issue

  I am trying to use Feature and  Edge based pattern matching. 
  With both methods I get the same problem of lack  of consistency in the match results.
  In one image the score is ie 990 and in the next frame there is no recognition even if the threshold of score is set to zero.
  The difference between the images is marginal. They were taken 16.7 ms apart with close to a stationary object. 
  I do not get any errors, the occlusion is set to 1-20, rotation -70 70, and scale factor 90-110
  LV 2012 Pro. WinXp 2.4Ghz quad. New drivers.
  I attached three images: the tempate and the two cases of found and not foun pattern. 
  Can someone suggest a reason for that? I was using regular pattern matching so far and and I am not used to weird results like that.
  Attachments:
  FTemplate.png ‏26 KB
  Found1.png ‏91 KB
  Not Found.png ‏91 KB

  Andrew, 
  I appreciate your response. Please see mine.
  Because of the nature of visions algorithms, their application is often more of an art than a science
  I heard it dozens times Yet I claim it is science.
  We did notice there was a lot of noise in the images
  As you can see these are low resolution X-ray images and that combined with a tiny bit of motion makes it what they are.
  I can see a couple of features that are slightly distorted between the two
  X-ray images by its nature, are projections of 3D objects and certain amount of distortion is normal. This is when the part of algorithm responsible for occlusion, scaling, rotation and the right choice of minimum score kicks in. The issue here is no minimum score that can force the recognition of the second image that is almost identical.
  ...so we think some filtering may be useful
  Possibly. However, I am not going to use filters until I know why this or that methods works (or doesn't) with close to perfect conditions. The two images are the ones of the best I get. To my surprise it sometimes works with images that are far worse. Filtering or not does not explain the behavior of the software.
  As far as the template, we could try different regions of the implant
  Not quite sure what you mean by it. I can use the bottom or the top. The top is a very complicated 3d object with drastically changing projections= failure. Choosing smaller regions will only create a flood of false negatives. Yet I still do not know what is wrong with the current one. 
  Another thing to try could be multiple templates
  I use that method with pattern template matches (intensity based). I try to choose two  patterns that represent the same feature but are fairly distinct from each other in order to span the variety of conditions and projections. Yeah, it is a sort of art Yet I never choose two templates that are almost identical because its just does not make sense. 
  As I mentioned, I am fairly familiar with LV intensity based methods and not that familiar with LV edge/feature matching. I was hoping to find out if maybe I am missing something about the method. For example, I need to set up certain parameter higher/lower and there are quite q few to set up in the edge/feature matching. From the math point of view it does not make sense that a small perturbation of an input parameter changes the solution drastically. It means that the solution is pretty much wrong. Even though, assuming that the solution falls far away from the true value and if you are willing to accept big errors, you should get at least  "an" answer.  
  Here I take the minimum score all the way down to zero and the algorithm finds no similarity at all, null, zilch, which can only mean two things I am doing something very wrong or there is something wrong with the algorithm software. If you take two random images you can probably find a 1% or less similarity but not finding it at all is kind of uncommon.
  Is there something more I could provide to investigate it? I am not looking for alternatives but suggestions why this method with my implementation fails so miserably. 
  With all due respect, the suggestions provided are so general (and also good but not what I asked for) in its nature that are probably in the textbook of the machine vision technical support under (applies to all methods)

• Cisco CSS - modify http header

  hi, i need to modify http hearder with the client IP address. need to modify any of the folowing fields:
  1) FROM -> with client IP address
     CLIENT IP -> with Client IP address
  2) X-Forwarded-For -> with client IP address
  3) REMOTE_ADDR -> with client IP address
  please advise how do to modify http header with option 1 or 2 or 3.
  Thanks.

  Hi Gavin
  I think I misread your question.
  Question first.  Is your CSS configured with one arm and doing client source natting and the server needs to see the real ip address of the client? Is that the reason why you want to insert x-forward-for header with the clients real IP address?
  I did some search with CSS but  the CSS doesn't seem to support this feature.
  If you need to see the actual client ip address from the server, then you can do pbr from the router rather than client source natting.
  regards
  Andrew

• External Web Service - User and password in HTTP header

  Hi!
  How is it possible to add user and password in the HTTP header in a external web service call? 
  I have created a "Portal Service from WSDL file - Client side" with the wizard in SAP Developer Studio.  I following the Java Development Guide - Web Service Security, and use the <i>secured service connection</i>.  I have also created a new <i>System Landscape</i>, but should the new system be based on HTTP, my own PAR or what?
  How can I check that the user and password is added to the HTTP header or the SOAP envelope? Do I have to scan http traffic with a proxy as Paros or can I find the request sent from SAP EP in the logs?
  Cheers
  Asle

  Hello All,
  I have been struggling a bit while putting a reasonable security framework on a jax-rpc style web service. I'm using JWSDP1.2 to set up the webservice. I've tried to outline my problem below. Please correct me where I'm wrong.
  I've been through the Sun's WS tutorials, but they are not really clear on security. However, from them I surmised that there are two decent authentication techniques. HTTP Basic and mutual authentication (MA) . Both have their drawbacks though. HTTP Basic suffers from poor encryption while MA is a bit difficult to set up on both client and server sides. Another problem with MA is that there is no central repository for users/passwords.
  OK, what I would really like to do is use my own user database to verify users/passwords i.e. use a HTTP Basic like authentication (but at application level) but run it over SSL for encryption. It seems simple, but is it possible?
  Also, I have noted that when I use HTTP Basic on the service side, and use a java client, then setting username/password has no effect. In other words, I can always access the web-service, even with wrong username/password.
  Sorry for the long post. Hope someone can help. Thanks.

• Adding port in http header information??

  I have a standard HTTPS to HTTP conversion going through a CSS 11506. The CSS terminates the SSL and then passes the cleartext traffic to the backend server via port 8011. The backend server receives this traffic on port 8011 but the http header does not specify port 8011 at the end of the url (e.g. http://mywebsite.com:8011/content but only passes through http://mysebsite.com/content). The backend server thinks this traffic has come in on port 80 and reports a 302 error (redirect). Is there some way the CSS can add the :8011 port number into the http header for all traffic bound to the backend server?
  Many thanks,
  Frank

  No, there is no way to add the port to the host info.
  You can run 2 different instances of the server - each one on its own port - so they don't need to verify the port inside the http request.
  Gilles.