Hello again, Is there a way to quiesce a real server in a l4txnat farm so that there are NO requests being forwarded to it? (besides deleting it from the farm)
Thanks, - Jay ---- Original Message ---- From: [email protected] Sent: 12/19/2013 3:05:42 AM To: [email protected] Subject: Zenloadbalancer-support Digest, Vol 37, Issue 9 Send Zenloadbalancer-support mailing list submissions to [email protected] To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/zenloadbalancer-support or, via email, send a message with subject or body 'help' to [email protected] You can reach the person managing the list at [email protected] When replying, please edit your Subject line so it is more specific than "Re: Contents of Zenloadbalancer-support digest..." Today's Topics: 1. Re: l4txnat dropping connections from some IPs (and no logging to verify) (Dima Polyakov) 2. Re: Redirects (Emilio Campos) 3. Re: ZEN Load-Balancer Disable SSLv2 (ilkin) ---------------------------------------------------------------------- Message: 1 Date: Wed, 18 Dec 2013 14:43:44 -0500 From: "Dima Polyakov" <[email protected]> Subject: Re: [Zenloadbalancer-support] l4txnat dropping connections from some IPs (and no logging to verify) To: <[email protected]> Message-ID: <[email protected]> Content-Type: text/plain; charset="utf-8" Jay, AFAIK you should have your real servers to have on a separate network (you can have multiple IPs on real servers). You can refer to my setup guide: ?How to set up L4 DNAT with asp.net web farm on ZLB 3.03?. Dima From: Jay A. Rossignol [mailto:[email protected]] Sent: Wednesday, December 18, 2013 1:57 PM To: [email protected] Subject: [Zenloadbalancer-support] l4txnat dropping connections from some IPs (and no logging to verify) Hello everyone! Some of our customers are experiencing a problem that seems to be occurring on an l4txnat farm w/DNAT. Some customers are unable to access our website when forwarded through our primary l4txnat farm but if the customer is redirected instead to a TCP farm, on the same load balancer, the customer is able to access the site properly. Here are some specifics: Load Balancer (zenloadbalancer v3.02) 192.168.11.10 l4txnat farm w/DNAT: 192.168.11.19 ports 80,443, real servers (site6, site7) TCP farm: 192.168.11.13 port 80, real servers (site6, site7) TCP farm: 192.168.11.13 port 443, real servers (site6, site7) Real servers are on the same 192.168.11.0/25 network and use the load balancer for their gateway: 192.168.11.10 Firewall policies: Primary Site: Public IP: 66.186.161.235 NAT -> 192.168.11.19 ports 80,443 Alt-Site: Public IP: 66.186.161.233 NAT -> 192.168.11.13 ports 80,443 The customer cannot access our website through the Primary Site. The customer can access our website through the Alt-Site. Customer can ping both public addresses. I can trace the customer's requests to the Primary Site through the firewall and forwarded to 192.168.11.19 but there is no mention of the customers IP in our webserver's logs suggesting that the requests never arrive. I can't seem to find any logging, or how to enable any logging, on the load balancer that shows the activity of requests (source, forwarded to, response, etc) so I can't verify anything about the requests once forwarded to the l4txnat farm by the firewall. I can trace the customer's requests to the Alt-Site through the firewall and forwarded to 192.168.11.13, they appear properly in the webserver's logs and the customer has access to our site. To verify that it is at the l4txnat farm that the problem is occurring, I changed the Alt-Site firewall rule to forward requests to the l4txnat farm (192.168.11.19), rather than the tcp farms, and the customer was no longer able to access our website through the Alt-Site. Undoing the change, pointing the Alt-Site firewall rule back to the tcp farms (192.168.11.13), restores the customer's access to our site. DNAT is required. We have had numerous customer complaints of this type. Not sure how many others may be experiencing it. Approx 15,000 customers access the Primary Site, through the l4txnat farm each day. Thank you for any suggestions! - Jay _____________________________________________ Jay A. Rossignol, MCSE, CNE Sr. Systems/Network Engineer Uncle Henrys [email protected] <mailto:[email protected]> -------------- next part -------------- An HTML attachment was scrubbed... ------------------------------ Message: 2 Date: Wed, 18 Dec 2013 20:47:29 +0100 From: Emilio Campos <[email protected]> Subject: Re: [Zenloadbalancer-support] Redirects To: Joseph Robinson <[email protected]> Cc: "[email protected]" <[email protected]> Message-ID: <cakwgn_qqaxhia3ox_zft-1fzb1ld0fltx29ktw+kas9r4et...@mail.gmail.com> Content-Type: text/plain; charset="iso-8859-1" Thank you for confirming! 2013/12/18 Joseph Robinson <[email protected]> > Emilio, > > You are right, the regular expression Laura provided does work. > > Sorry for the inconvenience. > > Thanks for the help! > > Joseph > > > > On 12/18/2013 11:31 AM, Emilio Campos wrote: > > Joseph I think that your question was answered, two times, by Laura and > me. > > If you want to match only /ED then you have to use a pattern ^/ED$ > > You don't have to match the beginning OR the end , you have to match the > beginning AND the end in your pattern because it is the same that an exact > match. > > I hope this help you .... > > > > > 2013/12/18 Joseph Robinson <[email protected]> > >> Thanks for the response. >> >> However I don't think specific question was answered. I need to find a >> way to have the URL pattern field do an "equals" match. So that the match >> is exactly, and only what is in the field. >> >> Example: >> >> I want to match only "/ED" (URL = http://mysite.com/ED) >> >> If the URL that comes in is http://mysite.com/EDs or >> http://mysite.com/ED/ or http://mysite.com/folder/ED then I do NOT want >> it to match. >> >> So far in my testing the match is only doing a contains. Thus if my >> pattern was "/" I get in a loop. >> >> I can't use ^ or $ as I am not interested in matching the beginning or >> end, I need an exact match. >> >> Is that possible? >> >> Joseph >> >> >> >> On 12/18/2013 10:59 AM, Emilio Campos wrote: >> >> Url pattern searches a match in the incoming request, virtualhost >> isn't evaluated in this field. If a request fails to match than this >> service will be skipped and next one tried. If no *URL* was defined then >> all requests match. The matching is by default case-sensitive >> >> Some examples: >> URL pattern field: .*.(jpg|gif) >> >> Url pattern field : /forbidden.* >> >> URL pattern field : .*sessid=.* >> >> Regards >> >> >> > > > -- > Load balancer distribution - Open Source Project > http://www.zenloadbalancer.com > Distribution list (subscribe): > [email protected] > > > -- Load balancer distribution - Open Source Project http://www.zenloadbalancer.com Distribution list (subscribe): [email protected] -------------- next part -------------- An HTML attachment was scrubbed... ------------------------------ Message: 3 Date: Thu, 19 Dec 2013 10:02:34 +0200 From: "ilkin" <[email protected]> Subject: Re: [Zenloadbalancer-support] ZEN Load-Balancer Disable SSLv2 To: <[email protected]> Message-ID: <004601cefc90$ad0e9fb0$072bdf10$@[email protected]> Content-Type: text/plain; charset="us-ascii" Hi Laura, It works : ) Thank you very much. From: Laura Garcia [mailto:[email protected]] Sent: Wednesday, December 18, 2013 7:46 PM To: [email protected] Subject: Re: [Zenloadbalancer-support] ZEN Load-Balancer Disable SSLv2 Hi, have you tried to include in your cyphers ":-SSLv2" ? Regards. On Wed, Dec 18, 2013 at 4:34 PM, ilkin <[email protected]> wrote: Hi All, I try to disable SSLv2 on HTTPs farm because of the PCI requirements. I couldnt do it by changing the Ciphers as Custom and write the cipher as "TLSv1+SSLv3+HIGH:-MEDIUM:-LOW:-ADH". I restarted the farm and it stilss SSLv2 enabled. Could you help about that? Thank you. ---------------------------------------------------------------------------- -- Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349831 <http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk > &iu=/4140/ostg.clktrk _______________________________________________ Zenloadbalancer-support mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/zenloadbalancer-support -------------- next part -------------- An HTML attachment was scrubbed... ------------------------------ ------------------------------------------------------------------------------ Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk ------------------------------ _______________________________________________ Zenloadbalancer-support mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/zenloadbalancer-support End of Zenloadbalancer-support Digest, Vol 37, Issue 9 ****************************************************** ------------------------------------------------------------------------------ Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk _______________________________________________ Zenloadbalancer-support mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/zenloadbalancer-support
