Friday, September 26, 2014

Change HTTP reply content with AppShape++

Lab goal

When a clients asks for beta/a2.html, return "Hello" instead.

Use VIP 10.136.85.14

Setup

I'll use my Loadbalancer Lab Setup.


The loadbalancer is Radware's Alteon VA version 29.5.1.0

The initial Alteon VA configuration can be found here.

Notice the group and hosts are preconfigured:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
/c/slb/real 1
        ena
        ipver v4
        rip 10.136.85.1
/c/slb/real 2
        ena
        ipver v4
        rip 10.136.85.2
/c/slb/real 3
        ena
        ipver v4
        rip 10.136.85.3
/c/slb/group 10
        ipver v4
        add 1
        add 2
        add 3

Alteon configuration

First, lets configure the VIP/virt.

Remember routing! The returning traffic needs to go through the Alteon, otherwise TCP will break. So we also need to configure Proxy IP/SNAT so return traffic will go through the Alteon.


1
2
3
4
5
6
7
8
 /c/slb/virt 85_14
        ena
        vip 10.136.85.14
 /c/slb/virt 85_14/service 80 http
        group 10
 /c/slb/virt 85_14/service 80 http/pip
        mode address
        addr v4 10.136.85.200

Next we need to write the Appshape++ script:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
when HTTP_REQUEST {
    # retrieve URL from the request
    set url [HTTP::uri]
    set reply {
        <html>
        <body>
        <h1>Hello!</h1>
        <body>
        </html>
    }

    # check if URL is with /beta/a2.html
    if {[string match "/beta/a2.html" $url] == 1} {
        # change the URL and select SRV1
        HTTP::respond 200 content $reply
    }
}

-----END


  • Line 1-17 - When a request comes in do:
    • Line 3 - Extract the URL
    • Line 4-10 - Set a response content.
    • Lines 13-16 - If the URL is "beta/a2.html" then:
      • Line 15 - Respond with code 200 and the content we set earlier.
  • Line 19 - The end of the script.
Now lets import the script and apply it to the VIP/virt:


 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
 /c/slb/appshape/script respond
        ena
        import text 
 when HTTP_REQUEST {
     # retrieve URL from the request
     set url [HTTP::uri]
     set reply {
         <html>
         <body>
         <h1>Hello!</h1>
         <body>
         </html>
     }
     # check if URL is /beta/a2.html
     if {[string match "/beta/a2.html" $url] == 1} {
         # change the URL and select SRV1
         HTTP::respond 200 content $reply
     }
 }
 -----END
 
 /c/slb/virt 85_14/service 80 http/appshape
        add 10 respond

Test


Notice the "Hello!". Success!

Summary

After writing few AppShape++ , a pattern emerges: It really easy :)

Thursday, September 18, 2014

Using AppShape++ to change a request's URL

Lab goal

  • When a clients asks for /cgi-bin/* change that to /alpha/a1.html, and serve it from SRV1 
  • Fix the 404 page not found.

Use VIP 10.136.6.13.

Setup

I'll use my Loadbalancer Lab Setup.


The loadbalancer is Radware's Alteon VA version 29.5.1.0

The initial Alteon VA configuration can be found here.

Notice the group and hosts are preconfigured:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
/c/slb/real 1
        ena
        ipver v4
        rip 10.136.85.1
/c/slb/real 2
        ena
        ipver v4
        rip 10.136.85.2
/c/slb/real 3
        ena
        ipver v4
        rip 10.136.85.3
/c/slb/group 10
        ipver v4
        add 1
        add 2
        add 3

Alteon configuration

Lets first create the VIP/virt and test it out.


1
2
3
4
5
 /c/slb/virt 6_13
        ena
        vip 10.136.6.13
 /c/slb/virt 6_13/service 80 http
        group 10

To fix the 404 at the bottom of the webpage, we need to change the request URL from /not_here to /here.html.

So lets write the AppShape++ script:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
attach group 10

when HTTP_REQUEST {
    # retrieve URL from the request
    set url [HTTP::uri]

    # check if URL begins with /cgi-bin/
    if {[string match "/cgi-bin/*" $url] == 1} {
        # change the URL and select SRV1
        HTTP::uri "/alpha/a1.html"
        group select 10 server 1
    # check if the request is for /not_here
    } elseif {[string match "/not_here" $url] == 1} {
        # change the URL to here.html
        HTTP::uri "/here.html"
    }
}

-----END


  • Line 1 - declare that we are about to use group 10.
  • Lines 3 - 17 - When HTTP_REQUEST comes from the client to the VIP do this:
    • Line 5 - Retrieve the URL
    • Lines 8-13 - Check if the URL begins with /cgi-bin/ if so:
      • Lines 10-11 - Send the request to the web server as "/alpha/a1.html" and select SRV1.
    • Lines 13-16 - Check if the URL is not_here if so:
      • Line 15 - Send the request to the web server as "here.html"
Now lets apply this script to the Alteon:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
 /c/slb/appshape/script set_url
        ena
        import text 
 attach group 10
 when HTTP_REQUEST {
     # retrieve URL from the request
     set url [HTTP::uri]
     # check if URL begins with /cgi-bin/
     if {[string match "/cgi-bin/*" $url] == 1} {
         # change the URL and select SRV1
         HTTP::uri "/alpha/a1.html"
         group select 10 server 1
     # check if the request is for /not_here
     } elseif {[string match "/not_here" $url] == 1} {
         # change the URL to here.html
         HTTP::uri "/here.html"
     }
 }
 -----END

 /c/slb/virt 6_13/service 80 http/appshape
        add 10 set_url


  • Lines 1-19 - importing the script
  • Lines 21-22 - applying the script to the VIP

Test


Before:



After:


Success!

Notice how the CGI script, which shows connection data (it just prints ENV vars), changed to show a static page from SRV1 and also notice that the 404 is fixed.

Summary

Setting the URL is really easy, once you know how.... :)

Friday, September 12, 2014

HTTP to HTTPs redirect with a twist

Lab goal

Create a new VIP/virt - 10.136.85.13.

The main page should be using HTTP but all the other elements should be using SSL.


Setup

I'll use my Loadbalancer Lab Setup.



The loadbalancer is Radware's Alteon VA version 29.5.1.0

The initial Alteon VA configuration can be found here.

Alteon configuration

We will reuse group 10 which includes all web servers.

So all is left is to create a VIP/virt with services HTTP and HTTPS

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
 /c/slb/virt 86_13
        ena
        ipver v4
        vip 10.136.85.13
 /c/slb/virt 86_13/service 80 http
        group 10
        rport 80
 /c/slb/virt 86_13/service 80 http/pip
        mode address
        addr v4 10.136.85.200 
 /c/slb/virt 86_13/service 443 https
        group 10
        rport 443
 /c/slb/virt 86_13/service 443 https/pip
        mode address
        addr v4 10.136.85.200 

Lines 8-10 - Source NAT. Without it traffic from the server will go directly to client without going first through the Alteon.

Now for the AppShape script:


 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
when HTTP_REQUEST {
    # exctract the fields from the HTTP headers
    set url [HTTP::uri]
    set host [HTTP::host]


    if {[string equal $url "/"] ==0} {
        HTTP::redirect "https://$host$url" 301
    }
}

-----END


  • Line 7 checks if the path is not  /" and then:
    • Line 8 Redirect all requests to the page elements, such as pictures, iFrames and CGI-BIN to HTTPS
    • Notice that the redirect was built with the extracted host name and the URL
Next lets import and apply the AppShape++ script:


 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
 /c/slb/appshape/script redirect_to_https
        ena
        import text 
 when HTTP_REQUEST {
     # exctract the fields from the HTTP headers
     set url [HTTP::uri]
     set host [HTTP::host]
     if {[string equal $url "/"] ==0} {
         HTTP::redirect "https://$host$url" 301
     }
 }
 -----END

 /c/slb/virt 86_13/service 80 http/appshape
        add 10 redirect_to_https

Test


It looks like a regular HTTP page, but notice the TCP port being used inside the iFrame. Its 443, which is HTTPS.

Success!

Summary

This exact setup can be done with crule,but I think that using AppShape++ is much easier to understand, as you see the condition and the action in one place.

Wednesday, September 10, 2014

Alteon AppShape++ Redirects

Lab goals

In the lab we will practice:

  • Redirection - r.dans-net.com should be redirected to 3.dans-net.com
  • Decision by URL matching:
    • If URL length is 1 or 2, not including the leading "/", then redirect to 3.dans-net.com
    • If URL is "/images/number.jpg" or "/icons/number.jpg" then select SRV1
    • URL begins with  "/alpha" or with "/beta" then select SRV2
    • URL contains "cgi-bin" or "gamma" then select SRV3
Both r.dans-net.com and 3.dans-net.com should resolve to 10.136.6.11.

Setup

I'll use my Loadbalancer Lab Setup.


The loadbalancer is Radware's Alteon VA version 29.5.1.0

Here is the /etc/hosts or c:\windows\system32\drivers\etc\hosts resolve snippet:


1
2
10.136.6.11     3.dans-net.com
10.136.6.11     r.dans-net.com

Alteon configuration

Fist lets create 3 groups, one for each SRV:



1
2
3
4
5
6
7
8
9
/c/slb/group g1
        ipver v4
        add 1
/c/slb/group g2
        ipver v4
        add 2
/c/slb/group g3
        ipver v4
        add 3

Next, lets configure create the VIP/virt:


1
2
3
4
 /c/slb/virt 6_11
        ena
        vip 10.136.6.11
 /c/slb/virt 6_11/service 80 http

Next the AppShape++ script. This time I'll show two parts. The draft and the final.

Draft Script

The draft script is a regular TCL script, where I test the script with regular TCL enviourment, such as ActiveTCL for windows.


 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
#attach group g1
#attach group g2
#attach group g3
#
#when HTTP_REQUEST {
#}
#
#-----END

# usage
# redirect_url_match [URL] [HOST]

# set default values
set host "3.dans-net.com"
set url "/a"

# set values if exists
if {$argc == 1} {
    set url [lindex $argv 0]
} elseif {$argc > 1} {
    set host [lindex $argv 1]
}


# the code to use later on the alteon
if {[string equal $host "r.dans-net.com"]} {
    puts "redirect to 3.dans-net.com"
} else {
    # check length of url. since the cout also includes the leading / we need to add 1 to the comparison
    if {[string length $url] == 2 || [string length $url] == 3} {
        puts "redirect to 3.dans-net.com"
    # exact match    
    } elseif { [string match "/images/number.jpg" $url] || [string match "/icons/number.jpg" $url ] } {
        puts "SRV1"
    #match begin with    
    } elseif { [string match "/alpha*" $url] || [string match "/beta*" $url] } {
        puts "SRV2"
    # match contains X
    } elseif { [string match "*gama*" $url] || [string match "*cgi-bin*" $url] } {
        puts "SRV3"
    }

}


  • Lines 1-8 - This is my template for AppShape++ scripts. Its is currently commented out.
  • Lines 14-22 - Simulate HTTP headers and URL
    • We are basing our group/pool selection on Host name and URL, so we need to simulate those parameters.
    • Lines 14-15 - Set the default Host and URL
    • Lines 18-22 - Extract the URL and Host name from command line arguments.
    • The script can be run:
      • Without arguments: tclsh.exe my_script.tcl . Then the URL is "/a" and the host is "3.dans-net.com"
      • With just one argument: tclsh.exe my_script /gamma/a3.html. Then the URL is "/gamma/a3.html" and the host is "3.dans-net.com".
      • With two arguments: tclsh.exe my_script /gamma/a3.html r.dans-net.com. Then the URL is "/gamma/a3.html" and the host is "r.dans-net.com"
  • Lines 26-28 - Check if host name is "r.dans-net.com". If so, print "redirect to 3.dans-net.com". This is instead of actually using the Alteon command HTTP::redirect 
  • Lines 28-43 - Check the URL
    • Line 30 is checking the length of the URL.
    • Line 33 is checking exact match.for the URL
    • Line 36 is checking if the URL begins with....
    • Line 39 is checking if the URL contains ....
After running the script and checking that its actually working as indicated in the Lab Goals, we need to convert it to Alteon AppShape script:


 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
attach group g1
attach group g2
attach group g3
attach group 10

when HTTP_REQUEST {
    # exctract the fields from the HTTP headers
    set host [HTTP::host]
    set url [HTTP::uri]


    if {[string equal $host "r.dans-net.com"]} {
        HTTP::redirect "http://3.dans-net.com" 301
    } else {
        # check length of url. since the cout also includes the leading / we need to add 1 to the comparison
        if {[string length $url] == 2 || [string length $url] == 3} {
            HTTP::redirect "http://3.dans-net.com" 
        # exact match    
        } elseif { [string match "/images/number.jpg" $url] || [string match "/icons/number.jpg" $url ] } {
            group select g1
        #match begin with    
        } elseif { [string match "/alpha*" $url] || [string match "/beta*" $url] } {
            group select g2
        # match contains X
        } elseif { [string match "*gamma*" $url] || [string match "*cgi-bin*" $url] } {
            group select g3
        } else {
            group select 10
        }

    }
}

-----END

This is basically the same script as before, with just Alten AppShape++ commands like HTTP::redirect:  and group select

Notice that at line 28, we have a default action, which is to use group 10, which includes all web servers. This will allow serving the main page, javascript and css.

Also notice the difference between the redirect at line 13 and the redirect at line 17. The first will return 301 - permanent move, and the second will send the default 302 which is temporary move.

Now lets import the script and apply it to the virt configuration



 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
 /c/slb/appshape/script redirect_match_url
        ena
        import text 
 attach group g1
 attach group g2
 attach group g3
 attach group 10
 when HTTP_REQUEST {
     # exctract the fields from the HTTP headers
     set host [HTTP::host]
     set url [HTTP::uri]
     if {[string equal $host "r.dans-net.com"]} {
         HTTP::redirect "http://3.dans-net.com" 301
     } else {
         # check length of url. since the cout also includes the leading / we need to add 1 to the comparison
         if {[string length $url] == 2 || [string length $url] == 3} {
             HTTP::redirect "http://3.dans-net.com" 
         # exact match    
         } elseif { [string match "/images/number.jpg" $url] || [string match "/icons/number.jpg" $url ] } {
             group select g1
         #match begin with    
         } elseif { [string match "/alpha*" $url] || [string match "/beta*" $url] } {
             group select g2
         # match contains X
         } elseif { [string match "*gamma*" $url] || [string match "*cgi-bin*" $url] } {
             group select g3
         } else {
             group select 10
         }
     }
 }
 -----END
 

 /c/slb/virt 6_11/service 80 http
        dbind forceproxy
 /c/slb/virt 6_11/service 80 http/appshape
        add 10 redirect_match_url

Test

First I tried some redirection tests. The best way to see them is using chrome or firefox developer tools and have a look at the network tab. However, this is not the best way to show it here as the data is hierarchical and I can't show in one snapshot how redirection worked.

So I used wireshark to show the redirection.



  • Packet 4 is the request for r.dans-net.com
  • Packet 6 is the reply with the redirect
  • Packet 7 is the new request to the redirected host
Next lets see how the page looks like:


We can see that reach element (in red) is using the correct SRV.

Summary

I really like TCL. It is very simple. So is AppShape++.

Monday, September 8, 2014

Select group/pool by query URI

Lab goal

When a request looks like this: http://a3.dans-net.com/group=GROUPNAME then the group/pool will be selected by the following name:

group_GROUPNAME

For example for http://10.136.5.10/group=g1 the selected group will be group_g1

The following groups should be defined:
  • g1 - SRV1
  • g2 - SRV2
  • g3 - SRV3

The VIP should be 10.136.5.10

Setup

I'll use my Loadbalancer Lab Setup.



The loadbalancer is Radware's Alteon VA version 29.5.1.0

The initial Alteon VA configuration can be found here.

Alteon configuration

First, lets configure the groups.

 /c/slb/group g1                          
        add 1
 /c/slb/group g2
        add 2
 /c/slb/group g3
        add 3

Next lets write the script.


 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
attach group g1
attach group g2
attach group g3

when HTTP_REQUEST {
    set group_exists [regexp -nocase {group=(g[0-9]+)(&.*)*$} [HTTP::query] a group_name]
    if {$group_exists == 1} {
        group select $group_name
    }
}

-----END



  • Lines 1-3 declare the groups which will be used later on.
  • Line 6 has the regular expression matching
    • The matching is case insensitive.
    • It looks for a group=g* in the query part of the URI.
    • If a match is found it will 
      • set group_exists to 1
      • put what ever matches in a
      • the result of the first parenthesis (g[0-9]+) to group_name
  • Line 7-8 - If a match  was found, select the group according to the group name
  • Line 12 - As allways we need the -----END to mark the end of script.

Next lets configure the virtual server. Notice that since we are using 10.136.5.X address as VIP, we need to configure the Alteon to use Source NAT/Proxy IP so return traffic from the servers go through Alteon and not directly back to the client.

 /c/slb/virt 5_10
        ena
        vip 10.136.5.10
 /c/slb/virt 5_10/service 80 http
        group 10
 /c/slb/virt 5_10/service 80 http/pip
        mode address
        addr v4 10.136.85.200 255.255.255.255 

Notice we added group 10 to the config. We need this as last resort group. If the AppShape++ script won't choose a group, that group will be chosen.

Next we need to import and apply the AppShape++ script to the HTTP service.

 /c/slb/appshape/script host_by_query
        ena
        import text 
 attach group g1
 attach group g2
 attach group g3
 when HTTP_REQUEST {
     set group_exists [regexp -nocase {group=(g[0-9]+)(&.*)*$} [HTTP::query] a group_name]
     if {$group_exists == 1} {
         log "$group_exists $a $group_name"
         group select $group_name
     }
 }
 -----END


 /c/slb/virt 5_10/service 80 http/appshape
        add 10 host_by_query

Test

First we will try selecting group g1:



Notice that just the GET to the main page was sent with ?group=g1&b=1 . The rest of the requests went without the query string.

Next g3:


Success!

Summary

That wasn't too hard, was it? The one thing I do is to test the TCL script on tclsh and only then import it to the Alteon. That is much faster then copy pasting into the Alteon's config.

Thursday, September 4, 2014

AppShape++ and SSL offloading

After running my fist AppShape++ script, I was wondering if it will work with SSL offloading as well.

Lets try it out, using my lab setup again, and I'll be adding on top my previous lab.



First I'll need to create SSL policy on the Alteon VA version 29.5.1.0:

 /c/slb/ssl/sslpol mySSL_Pol
        cipher "high"
        ena

This will select only high security encryption and integrity algorithms.

Next we need to create a self signed certificate:

>> LB1 - SSL Policy mySSL_Pol# /cfg/slb/ssl/certs/srvrcert

Enter server certificate id: mySRV_Cert
------------------------------------------------------------------
[Server certificate mySRV_Cert Menu]
     name     - Set descriptive certificate name
     generate - Create or update self-signed server certificate
     del      - Delete server certificate
     cur      - Display current server certificate configuration

>> LB1 - Server certificate mySRV_Cert# gen
This operation will generate a self-signed server certificate.
Enter key size [512|1024|2048|4096] [1024]: 2048
Enter server certificate hash algorithm [md5|sha1|sha256|sha384|sha512] [sha1]: sha256
Enter certificate Common Name (e.g. your site's name):  *.dans-net.com
Use certificate default values? [y/n]: y
Enter certificate validation period in days (1-3650) [365]: <enter>  
....
Self signed server certificate, certificate signing request and key added.

We also need to enable SSL globally:

/cfg/slb/ssl/on

Now lets add SSL offloading to virt 6_10:

 /c/slb/virt 6_10/service 443 https/ssl
        srvrcert cert mySRV_Cert
        sslpol mySSL_Pol
 /c/slb/virt 6_10/service 443 https/appshape
        add 10 group_by_host

Notice that not only SSL offloading was added, but also we applied the AppShape++ script.

Lets try it out:




Notice that the background is still blue, which means its HTTPS and that the SRV_PORT is 80, so we really have SSL offloading and the AppShape++ script works with SSL offloading too.


So yes! AppShape++ works also when using SSL offloading.

Wednesday, September 3, 2014

Alteon group selection by HTTP Host header using AppShape++

On the previous post I have used Content Rules to configure group (server pool) selection based on the Host header in HTTP.

This lab is also based on the lab setup I am using.


This time I'll do the same, but with AppShape++, which is similar to F5's iRules.

I want a2.dans-net.com to be served by SRV1 and b2.dans-net.com to be served by SRV2, any other host should be served by all web servers.

I'll use VIP 10.86.3.10 as the VIP. Here is how I edit my /etc/hosts files, which is c:\windows\system32\drivers\etc\hosts :

10.136.6.10    a2.dans-net.com
10.136.6.10    b2.dans-net.com

First, I'll configured two new groups (server pools):

 /c/slb/group a2_dans
        add 1

 /c/slb/group b2_dans
        add 2

Next I'll write the AppShape++ script which will select a group based on the Host header:

attach group a2_dans
attach group b2_dans

when HTTP_REQUEST {
    switch -glob [HTTP::host] {
        "a2.dans-net.com" {
            group select a2_dans
        }
        "b2.dans*" {
            group select b2_dans
        }
        default {
            group select 10
        }
    }
}
-----END

The first two lines are attach statements. I have no idea why they are needed. All I know that any group referenced inside other parts of the script must be declared there.

Then, with the help of the switch command we select which  group to use when using this host or the other. If the Host matches nothing, then we will use group #10, which includes all the web servers.

Lets import the script into Alteon. Notice the "-----END" at the end, which marks the end of the script.

 /c/slb/appshape/script group_by_host
        ena
        import text 
 attach group a2_dans
 attach group b2_dans
 when HTTP_REQUEST {
     switch -glob [HTTP::host] {
         "a2.dans-net.com" {
             group select a2_dans
         }
         "b2.dans*" {
             group select b2_dans
         }
         default {
             group select 10
         }
     }
 }
 -----END

Next lets configure the VIP, or virt in Alteon's terminology.


 /c/slb/virt 6_10
        ena
        vip 10.136.6.10
 /c/slb/virt 6_10/service 80 http
 /c/slb/virt 6_10/service 80 http/appshape
        add 10 group_by_host

After apply lets test:




Success!

So which is better? Using Content Rules or use AppShape++ scripts.

I think that once you learn it, AppShape++ scripts are much easier as you you always use the same TCL commands and you are not forced in awkward configurations which at the end mimic that short script.

Tuesday, September 2, 2014

Alteon group selection by HTTP Host header using Content Rules

Using this lab setup, I will practice HTTP Host based group selection, which is a server pool in Alteon's terminology.



Fist I need to add two hosts to my /etc/hosts files, which is c:\windows\system32\drivers\etc\hosts :

  • a.dans-net.com
  • b.dans-net.com

Both will point to 10.136.85.11.


10.136.85.11    a.dans-net.com
10.136.85.11    b.dans-net.com

I want a.dans-net.com to go to SRV1 and b.dan-net.com to go to SRV2

I need to add two groups with one host only. Notice that AFAIK since version 29 Alteon allows to use strings as rip, groups and virt

 /c/slb/group a_dans
        ipver v4
        add 1
 /c/slb/group b_dans
        ipver v4
        add 2

Next step is to configure the Content Class, which means to configure matching classes which will be later used by Content Rules

 /c/slb/layer7/slb/cntclss a_dans http
 /c/slb/layer7/slb/cntclss a_dans http/hostname a_dans
        hostname "a.dans-net.com"
        match equal
 /c/slb/layer7/slb/cntclss b_dans http
 /c/slb/layer7/slb/cntclss b_dans http/hostname b_dans
        hostname "b.dans"

Notice that class a_dans is and exact match and that class b_dans is an include match (the default mathod, thats why we don't see it in the config). Just for fun...

Now lets add virt  and apply the changes.

 /c/slb/virt 11
        ena
        ipver v4
        vip 10.136.85.11
 /c/slb/virt 11/service 80 http
        group 1
        rport 80
 /c/slb/virt 11/service 80 http/cntrules 10
        ena
        cntclss "a_dans"
        group a_dans
 /c/slb/virt 11/service 80 http/cntrules 20
        ena
        cntclss "b_dans"
        group b_dans
 /c/slb/virt 11/service 80 http/pip
        mode address
        addr v4 10.136.85.200 255.255.255.255 persist disable

Notice that we added two new rules, matching the Content Class we configured before and the action is to select a group, which we configured before too.

As usual we use Source NAT, hence the pip with 10.136.85.200 address.

And he are some "show" commands

>> LB1 - Server Load Balancing Information# /i/slb/virt 11
11: IP4 10.136.85.11,    00:03:b2:80:00:4e
    Virtual Services:
    http: rport http, group 1, health tcp (TCP), dbind forceproxy
        Content Rule 10, enabled
             content class a_dans, group a_dans
        Real Servers:
        1: 10.136.85.1, group ena, health  (runtime TCP), 2 ms, UP
        Content Rule 20, enabled
             content class b_dans, group b_dans
        Real Servers:
        2: 10.136.85.2, group ena, health  (runtime TCP), 2 ms, UP

Now lets see what happens in the browser.

First we test for a.dans-net.com. We expect to see SRV1 only.


Success. We see SRV1 only. Next lets try b.dans-net.


Success again, we see SRV2 only.

Basic Alteon setup

Time to actually test the lab.

Click here for previous post to see the lab setup.



Here is a basic Alteon setup with very basic server loadbalancing.

The VIP is 10.136.85.10 and the Source NAT, or proxy ip in Alteon terminology is 10.136.85.200. We need the SNAT, as otherwise the Alteon will reply directly to the client. We need the reply traffic to pass through the Alteon to get it translated back to VIP from the real IP address of the selected server.

Notice that that we have a default GW for the management interface, and a different gateway for the data path, which is the traffic from the client and to the servers.

/c/sys/mmgmt
        dhcp disabled
        addr 10.136.1.100
        mask 255.255.255.0
        broad 10.136.1.255
        gw 10.136.1.254
        addr6 fc00:1:0:0:0:0:0:1
        prefix6 64
        gw6 fc00:1:0:0:0:0:0:254
        ena
/* LB1
/c/sys
        hprompt ena
/c/sys/ssnmp
        name "LB1"
/c/sys/access/sshd/ena
/c/sys/access/sshd/on
/c/l3/if 1
        ena
        ipver v4
        addr 10.136.85.100
        mask 255.255.255.0
        broad 10.136.85.255
/c/l3/if 2
        ena
        ipver v6
        addr fc00:85:0:0:0:0:0:100
        mask 64
/c/l3/gw 1
        ena
        ipver v4
        addr 10.136.85.254
/c/l3/gw 2
        ena
        ipver v6
        addr fc00:85:0:0:0:0:0:254
/c/slb
        on
/c/slb/real 1
        ena
        ipver v4
        rip 10.136.85.1
/c/slb/real 2
        ena
        ipver v4
        rip 10.136.85.2
/c/slb/real 3
        ena
        ipver v4
        rip 10.136.85.3
/c/slb/group 10
        ipver v4
        add 1
        add 2
        add 3
/c/slb/port 1
        client ena
        server ena
        proxy ena
/c/slb/virt 10
        ena
        ipver v4
        vip 10.136.85.10
/c/slb/virt 10/service 80 http
        group 10
        rport 80
/c/slb/virt 10/service 80 http/pip
        mode address
        addr v4 10.136.85.200 255.255.255.255 persist disable
/c/slb/virt 10/service 443 https
        group 10
        rport 443