CSS Sorry Server for HTTPS
How to configure Sorry server for HTTPS (443) port. Sorry server works fine with HTTP, But not with 443
In the following config if server1 and server2 are down, the HTTP requests goes to the Sorry Server, but for HTTPS nothing is displayed. I am running the sorry server on port 81
Please suggest
!************************** SERVICE **************************
service prisorry
ip address 10.100.11.11
keepalive type http
keepalive port 81
port 81
active
service secsorry
ip address 10.100.11.12
keepalive port 81
keepalive type http
port 81
active
service server1
ip address 10.100.11.11
keepalive type http
keepalive port 80
active
service server2
ip address 10.100.11.12
keepalive type http
keepalive port 80
active
!*************************** OWNER ***************************
owner Loadbalancing
content L4Rule1
protocol tcp
add service server2
add service server1
port 80
url "/*"
vip address 10.100.11.4
advanced-balance sticky-srcip-dstport
primarySorryServer prisorry
secondarySorryServer secsorry
active
content L4Rule2
protocol tcp
add service server2
port 443
add service server1
vip address 10.100.11.4
advanced-balance sticky-srcip-dstport
primarySorryServer prisorry
secondarySorryServer secsorry
application ssl
active
content L4Rule3
add service server2
protocol tcp
port 1443
add service server1
vip address 10.100.11.4
advanced-balance sticky-srcip-dstport
primarySorryServer prisorry
secondarySorryServer secsorry
active
Thanks
I just deployed a couple 11050's the other day so my experience is limited, but I'd guess your problem is that, when using the Primary Sorry Server, you end up with clients sending HTTPS requests to an HTTP port. Having HTTPS requests redirected to HTTP ports is one thing because the client then makes an HTTP request to that port, but the way you have it above, it appears to me that the client will be talking HTTPS to port 81 on the Sorry Server, which is listening for HTTP.
Similar Messages
-
Setting up Debian server for HTTP Dyn Streaming (without FMS)?
Hi!
Is it possible to set up a Debian server for Http Dynamic Streaming without Flash Media Server?
(I realize that this means video on demand only, no live streaming!)
Are there any walkthrouhgs or tutorials on how this can be done?
Regards / JonasI just found this tread, that answers my question:
http://forums.adobe.com/thread/747115 -
Hi,
I have a question regarding sorry server configuration on the CSS 11500 series.
Is there a way for the sorry server to ignore the URL path and always send the user traffic to the "root" page (e.g. index.html) of the sorry server web server?
The problem I have is the redirection of the "root" page (url "/") that is configured for the normal traffic is causing the sorry page not to work since the URL path ("/psp/CUSTOMER1/?cmd=login") does not exist on the sorry page web server:
service Sorry-Server
protocol tcp
port 8000
keepalive type tcp
ip address 192.168.2.254
active
service server1
ip address 192.168.2.101
protocol tcp
keepalive type tcp
port 8080
active
service server2
ip address 192.168.2.102
protocol tcp
keepalive type tcp
port 8080
active
owner Customer1
content Content1
vip address 192.168.1.101
port 80
protocol tcp
url "/*"
balance aca
advanced-balance arrowpoint-cookie
flow-timeout-multiplier 6
add service server1
add service server2
primarySorryServer Sorry-Server
active
content Content1-Redirect
redirect "/psp/CUSTOMER1/?cmd=login"
vip address 192.168.1.101
port 80
protocol tcp
url "/"
active
Thanks in advance for your help!
Best regards,
HarryHi again,
During a maintenance window I made the following change and that made things a bit better:
service Sorry-Server
type redirect
keepalive type none
redirect-string "192.168.2.254:8000"
active
However, since the redirect string points to a private address, Internet users are not able to access the URL.
As a work-around I sent the redirect to a new content rule with a public address and then configured a second sorry page server:
service Sorry-Server
type redirect
keepalive type none
redirect-string "sorry.example.com:8000"
active
service Sorry-Server-2
ip address 192.168.2.254
protocol tcp
port 8000
keepalive type tcp
active
owner Customer1
content Content2
vip address x.x.x.x
add service Sorry-Server-2
port 8000
protocol tcp
active
Is there a better way to do this?
Best regards,
Harry -
Folks,
The documentation says that the sorry server concept will only work if the loadbalancing is done at layer 7. My question is why, why can't i see the sorry server redirect if all services are down when doing load balancing at Layer 3 or Layer 4?Hi,
Can you point me to those docs. I believe sorry server should work regardless of which layer is the content rule configured to check.
Actually this doc's example is layer 3:
http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_configuration_example09186a0080093de8.shtml
I will build a working config at layer 3 for you soon. -
Apache or Windows server for HTTP streaming
Does is matter what HTTP server I use?
In the process of upgrading from FMS 3.0 on Windows using IIS 5 to FMS 4.0. Will dynamic HTTP Streaming work from a Windows server?Hi,
Thanks for your interest in HDS.
HTTP Dynamic Streaming only works with Apache web server. The basic Apache web server is already bundled along with FMS from the 4.0 versions where the HTTP Dynamic streaming modules are loaded by default. Alternatively, any external apache installation also can be used, by copying the required module files and changing the configuration apache files to enable them.. -
Is it possible to define a sorry service with a specific url without service type redirect ?
I want to specify the url location of the sorry service page.
Thanksyou will need a redirect if you want to change the original request from the client.
Or, if your sorryserver is configured to display the same page, whatever the client request, then you do not need the redirect.
You just need a normal service.
Regards,
Gilles. -
Https serverfarm with http sorry server
Hello all,
I am having difficulty configuring a sorry server for an existing https serverfarm. The sorry (backup) server is failing all connections and I think it's because I can not determine a way to differentiate ssl connections for the production serverfarm and non-ssl connections for the sorry server. Here is the load balance policy:
policy-map type loadbalance http first-match WWW-HTTPS-LBP
class class-default
serverfarm WWW-HTTPS backup WWW-OUTAGE
action https-rewrite
ssl-proxy client CLIENT-SSL-PROXY
The WWW-HTTPS serverfarm is comprised of HTTPS real servers, hence the necessity of the ssl-proxy client; however, when the WWW-HTTPS serverfarm is offline, the ssl-proxy can't connect to the WWW-OUTAGE serverfarm as the real server in that farm is HTTP only.
Has anyone run into this scenario before?The ssl-proxy client forces the connection on the backend (to the real server to be https).
You should instead create a redirect serverfarm and use it to redirect the user to an http vserver where you can use your http serverfarm without the ssl-proxy client.
Gilles. -
Specific logon Group for Http logins
Hi
I just wondering whether we can have Logon group in SMLG specifically for http logins to use only 3 app server out of 6.
In my case,we have given one of the app server in the Iviews so all http logins goes to it, But as I see this server is idle most of the times and my other app servers are overloading and hanging sometimes so to allow GUI users on this and distribute http logins to use only 3 servers.
And If I use the generic load balancing then all the request would come to Central instance and then go to app server,which I don't want because I restricted any users login to central instance .so What I am looking is, to distribute Http logins to 3 app servers only .
Can this be acheived???
Any ideas are welcome.
ThanksHello,
you can create a logon group in SMLG with those 3 application servers, then set the flag ""Ext. RFC-enabled" in SMLG.
If you use the Message server for Http load balancing you should activate the services sap/public/icf_info/logon_groups and sap/public/icf_info/urlprefix in SICF transaction.
You could as well assign specific logon groups to url's in transaction SICF.
There are some restrictions when using the message server for Http load balancing (depending of your scenario), see SAP Note 1040325. That's the reason is recommended to use SAP Webdispatcher
http://help.sap.com/saphelp_nw04/helpdata/EN/de/89023c59698908e10000000a11402f/frameset.htm
Kind regards,
Mercedes -
I have been trying to get my CSS 11506 to redirct to a Sorry Server when our content servers go offline. We thought that we had it working, but after some downtime it turned out that our configuration did not work.
After extensive reading I can't figure out what is wrong with my config, or if the problem lies else where. I am attaching my config below, can anyone tell me if they see any problems with what I have or if there is something that I need to do in addition to what I have. Thank you for you help, here is the config:
*************************** GLOBAL ***************************
no restrict web-mgmt
no restrict xml
bypass persistence disable
snmp community ******read-write
snmp name "******"
snmp contact "*******r"
snmp location "CSS11056"
snmp trap-host 10.20.1.4 ******
dns primary 10.20.1.2
ftp-record ******10.20.1.17 *** des-password
ibfebcgg6aheuc4h1hfcqhpcubwdxcjb cssgui
ip route 0.0.0.0 0.0.0.0 10.20.1.1 1 !
*************************INTERFACE*************************
interface 1/1
phy 1Gbits-FD-sym !
**************************CIRCUIT**************************
circuit VLAN1
router-discovery lifetime 1000
ip address 10.20.1.4 255.255.255.0
router-discovery
**************************SERVICE**************************
service Blade01
ip address 10.20.1.60
active
service Blade02
ip address 10.20.1.61
active
service Blade03
ip address 10.20.1.62
active
service Blade04
ip address 10.20.1.63
active
service sorry
ip address 10.20.1.41
active
!*************************** OWNER***************************
owner ***
email-address ******
content Content1
vip address 10.20.1.80
balance aca
add service Blade01
add service Blade02
no persistent
primarySorryServer sorry
active
content Content2
vip address 10.20.1.81
add service Blade03
add service Blade04
balance aca
active
!*************************** GROUP***************************
group content1nat
vip address 10.20.1.80
add destination service Blade01
add destination service Blade02
add destination service sorry
group content2nat
add destination service Blade03
add destination service Blade04
vip address 10.20.1.81
!**************************** ACL ****************************
acl 10
clause 5 permit any 10.20.1.60 destination content ****
sourcegroup ****
clause 6 permit any 10.20.1.61 destination content ICC/flippid
sourcegroup Content1
clause 99 permit any any destination any
clause 2 permit any 10.0.0.0 destination content ****
sourcegroup ****
apply circuit-(VLAN1)
clause 7 permit any 10.20.1.41 destination content ****
sourcegroup Content1One problem I can see is that you don't have any keepalives configured under the services, so they will default to a Ping. As long as they respond to ping, it will keep traffic going to those servers.
What services run on these Servers? We generally recommend you use as higher layer keepalive as possible, so if it is a web server for example, use a HTTP keepalive.
Have a look here for more info:
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.10/configuration/content_lb/guide/KAL.html -
CSS 11051: Sorry Server receives request although the normal server is up
Hello,
my customer has configured a sorry for his server. If the normal server is down the Sorry Server receives the requests. That works fine. But if the normal server comes back the Sorry Server still receives some requests( 2 hours and more). Has anybody an idea what might be the reason for that ?
regards
Dietrich Schleyer
content webserver
add service server12
vip address 10.40.52.20
primarySorryServer server13
protocol tcp
port 80
url "/*"
no persistent
active
service server12
ip address 10.40.52.12
port 80
protocol tcp
keepalive type named applicationwww01
active
service server13
ip address 10.40.52.13
protocol tcp
port 80
keepalive type named applicationwww02
active
keepalive applicationwww01
ip address 10.40.52.12
port 80
type http non-persistent
uri "/test.html"
frequency 10
method get
active
keepalive applicationwww02
ip address 10.40.52.13
port 80
uri "/test.html"
frequency 10
method get
type http non-persistent
activeAccording to: http://www.cisco.com/warp/public/117/css_sorry_server.html After the CSS 11000 directs requests to a primary sorry server, the switch will continue to use the primary sorry server even when the original server becomes functional. To force the connection back to the original server, you must suspend the primary sorry server or wait until the connection is dropped or times out. When a new session is initiated by the CSS 11000, the connection should go back to the original server.
-
CSS Load balancing for Exchange Server
Hi,
I have CSS configured in single arm and I have multiple servers configured for load balancing and it is working fine but when I am configuring Exchange server for load balancing I am facing problem and applications and printer/scanners are not able to send the email through the Virtual IP address configured for exchaneg server.
But if we configured the real server IP in the printer/scanners they are able to send the email. While checking the logs on the exchange server, it is showing that request for the email so coming from the Exchange VIP configured in the CSS.
I can telnet on port 25 on the VIP address (192.168.200.237). But unable to send the email through this VIP.
Below is the configuration
service ENOC_EXCHANGE-1
ip address 192.168.200.235
active
service ENOC_EXCHANGE-2
ip address 192.168.200.236
active
content EXCHANGE
add service ENOC_EXCHANGE-2
add service ENOC_EXCHANGE-1
vip address 192.168.200.237
active
group EXCHANGE
add destination service ENOC_EXCHANGE-1
add destination service ENOC_EXCHANGE-2
vip address 192.168.200.237
active
DC-CSS01# show rule GIT EXCHANGE
Name: EXCHANGE Owner: ENOC_GIT
State: Active Type: HTTP
Balance: Round Robin Failover: N/A
Persistence: Enabled Param-Bypass: Disabled
Session Redundancy: Disabled
IP Redundancy: Not Redundant
L3: 192.168.200.237
L4: Any/Any
Url:
Redirect: ""
TCP RST client if service unreachable: Disabled
Rule Services & Weights:
1: EXCHANGE-1-Alive, S-1
2: EXCHANGE-2-Down, S-1
=============================================================================
Please let me know how to solve this problem. System team is saying with the physical IP address it is working fine problem with Load balancing. I have even tried with the
Add service command in the group but didnt work for me. If i will remove the group command then I cant telnet on port 25.
I think this is related to single arm modle or some wrong configuration for the NAT.
Kindly assist meHi
Printers are on Vlan 80 ( gw is 192.168.80.1) and exange server is on vlan 200 (gw is 192.168.200.1) i have multiple vlan which will communcate with exchange.
I hv other servers on 200 subnet which are working fine in load balancing.
My CSS is single arm setup.
Please assist
Sent from Cisco Technical Support iPhone App -
I have added a service for the sorr server and I have added the name of the server SorryServer1 to the content rule. However when I suspend the content rule I get a Page Not diplayed instead of the redirect to the Sorry Server.
The config has mulitple Content rules, I am currently only testing on one.
ThanksHi,
if you suspend the whole content rule the sorry server can not do it's action as the rule is "down" you need do suspend all services except the sorry server.
Kind Regards,
Joerg
PS
For a HowTo and recommendations refer to http://www.cisco.com/en/US/partner/products/hw/contnetw/ps792/products_configuration_guide_chapter09186a00801579f2.html#1038009 -
How the balance works for http/https in CSS?
I want to understand how the balance works for http/https in the CSS.
As per doc,
- http/1.0=single URL per TCP connection
- http/1.1=persistent connection.
Q1. my understanding is http is stateless connection so needs TCP session for each URL. how the http/1.1 works with persistent. keep the same TCP session for a multiple URL request?
Q2. https is using single URL and continue processing until terminate the https instead of open another URL in the middle of transaction. in this case, I think the client can stick into same service based on the assumption the CSS support persistent. if then, no advanced sticky(ex, srcip) required?
Q3. looks below both are analogy. what's difference between them?
- balance srcip(same src IP to the same service)
- advanced-balance sticky-srcip
Q4. what's balance decision mechanism for "balance roundrobin" to distribute evenly? ex, in case of multiple URL request coming from same client. evenly distribute URLs?
Regards,Hello,
first let me clarify 1 point.
HTTP/HTTPS are standards that are defined in RFC.
For HTTP/1.1 you can check the following RFC
http://www.faqs.org/rfcs/rfc2616.html
Therefore, the behavior of HTTP 1.1 is not defined by the CSS.
Q1- HTTP/1.1 simply keeps 1 TCP connection to send a received mutiplie HTTP request/response.
HTTP/1.0 will open 1 TCP connection for every HTTP request.
Q2- HTTPS is just HTTP over SSL.
So basically the same rule as above applies.
HTTP/1.1 can use 1 SSL connection for many HTTP request/response while HTTP/1.0 will use 1 SSL connection for each HTTP request.
Therefore, if you have customer using HTTP/1.0 you need some form of stickyness to guarantee that every connections will go to the same server.
Even if only using HTTP/1.1 you may need stickyness.
A user could disconnect and reconnect and require to be loadbalanced to the same server as before.
Q3- There is a big different between balance srcip and sticky-srcip.
The balance srcip simply hash the source ip address to find the destination server.
The problem of this method is that the loadbalancing is not guarantee to be evenly distributed between the servers.
With sticky-srcip, you use a normal balance method like round-robin, and then you create a sticky entry in a sticky table.
Next time this user comes back we first check the sticky entry to find the destination server.
The advantage is that it guarantess your users will be evenly distributed among the server.
Q4- roundrobin is applied to connection - not url [by default].
So if you have 2 users and they both open 1 connection, the CSS will send 1 connection to 2 different servers.
So each server has 1 connection.
If one user sens 10 URL and the other 1 sends only 1, one server will have 10 url to process while the other only one.
That's if you are using HTTP/1.1 and use persistent mode on the CSS.
You can break persistency and split the url.
I run out of space and time to explain you everything.
I suggest you go read the RFC or a book on HTTP.
Also read the CSS configuration guide.
There is much more you need to know if you want to take full advantage of the CSS like cookie, ssl offloading, L7 rules vs L3/4 rules, ...
Regards,
Gilles. -
Using a Single HTTP Server for Multiple APEX Instances
Our company's DBA Manager has asked if it would be possible to externalize the HTTP server portion of APEX from the DB Servers. In other words, he would strongly prefer that the DB Servers *only* run Oracle Database software.
We know that we can install the HTTP server on another box but, in thinking about how to do this, we were wondering if it is really necessary to create a separate HTTP server installation for each APEX instance. What we'd really like to do is have one HTTP server for all our our Dev boxes and several (but, not one to one) for each of our upper environments; staging, qa, prod, etc.
Right now, each instance have a single dads.conf file on each DB box. So, if we we're to attempt to consolidate them, we'd need some way to embed multiple dads files and to associate each instance with the correct one.
Has anyone ever done this or (preferably) have some examples?
Thanks,
-JoeJoe,
I don´t know a specific reference for it, I remembered it because when I was looking the documentation on the site, I saw the reference "Support for multiple database connections" in the URL: APEX Listener New Features 2.0</title><meta name="Title" content="APEX Listener New Features 2.0…
I´ve tried to use APEX listener some time ago, but in a earlier version together with glassfish. So, since for me was only one database, I created the necessary amount of DAD´s on my database, each one for a specific port.
Check the link and you´ll see the same information I saw.
Thanks.
José Valdézio
"Neo, everything that Oracle told me, became true, except extinguish bugs in a first release." -
Companion CDs for 64-bit Oracle HTTP Server for AIX5L(64 bit) required.
I need Companion CDs for 64 bit Oracle HTTP Server for AIX5L(64 bit).
I tried to install using
as_ibm_aix_companion_101300_disk1.cpio & as_ibm_aix_companion_101300_disk2.cpio
but when i checked the files present in <Oracle_Home>/ohs/lib , they are of 32-bit.
Also i tried with Oracle 10.1.2.0.2 but still the server is installed as 32-bit.
Is 64-bit Oracle HTTP Server supported on AIX5L(64 bit) ?
If yes, then from where can i download the CDs?
Any suggestions will be appreciated.Greetings,
Try this link:
http://www.oracle.com/technology/software/products/database/oracle10g/htdocs/10201aixsoft.html
Regards,
Bill Chadbourne
Maybe you are looking for
-
How many times can you resend an iTunes Gift Card?
Tried sending an iTunes gift card to a @facebook account but the recipient hasn't received it. Is it possible to send to another of their @facebook accounts and if that also fails then to a conventional account? I guess my question is how many times
-
SRM 7.0 Catalog (Web Service) Portal Links Not Working
Hi, Following an upgrade to the latest Service Packs for SRM, we are encountering an issue with dead links to Catalogs (both Internal MDM and External). Prior to the upgrade the normal catalog (webservice) links, as defined in the SPRO (Supplier Rela
-
How to change Font Size in Inbox?
Even with 0 lines of preview, it's not possible to see more than 8 full emails in the Inbox, because the sender's name is so large. How do you make it smaller? It's not necessary that I be able to read the thing from *12 feet* away.
-
Why is my pictures not downloading?
I got a backup today on my new ipod and now my pictues are not downloading
-
Cannot connect to an existing (and workin) wifi system. My MacBook connects no problem!