VMware Networking Community
s57
Contributor
Contributor
‎08-27-2020 12:38 PM
Jump to solution

Load balancer application rules for reverse proxy

Hi all,

I'm having trouble getting the load balancer application rules to do what I need.  Our scenario is that we have multiple different https websites that arrive at the same IP address -- for example, site1.x.y.com, site2.x.y.com, etc.  For each different site, I need to point it to a different internal server.  VMware documentation on this specific scenario seems to be limited, and I've tried a number of different rule iterations I've found around the web -- for example, this is my most recent attempt that fails:

acl is_siteA hdr(Host) -i siteA.x.y.com

acl is_siteB hdr(Host) -i siteB.x.y.com

use_backend pool-A if is_siteA

use_backend pool-B if is_siteB

This fails with site can't be reached for either server.  I'm not sure if there's anything unique that needs to happen because this is https.  But nothing that I'm trying here seems to work.  Any insights into what I'm doing wrong would be appreciated!

1 Solution

Accepted Solutions
bayupw
Leadership
Leadership
‎08-27-2020 01:36 PM
Jump to solution

You can take a look at this slide: NSX-v 6.4 - Load Balancing ToI

slide #76

The pool defined in the Virtual Server would be something else.

Do you do any HTTPS offload or anything? What's the HTTPS settings on LB and on Server?

pastedImage_2.png

# Check if host is "app1.xyz.com" (case insensitive)

acl host_app1 hdr(Host) -i app1.xyz.com

# Check if host is "app2.xyz.com" (case insensitive)

acl host_app2 hdr(Host) -i app2.xyz.com

# Check if host is "app3*" (case insensitive)

acl host_any_app3 hdr_beg(host) -i app3

# Use specific pool for each hostname

use_backend pool_app1 if host_app1

use_backend pool_app2 if host_app2

use_backend pool_app3 if host_any_app3

#for everything else, use the pool defined in the Virtual Server

#Some other random examples of AppRules

# Some ACLs to check URL from Client request

acl url_a path_beg -i /a

acl url_t path_beg -i /t

acl url_test_nopersist path -i /test_nopersist.php

# Some ACLs to Cookie from Client request

acl cookie_dimi1 hdr_sub(cookie) dimi1=1

acl cookie_sitet hdr_sub(cookie) cookie_sitet

# Select special LB_pool based on ACL

use_backend pool_vipa if url_a

use_backend pool_vipt if url_t

use_backend pool_cookie1 if cookie_dimi1

# Select special LB_pool based on multiple ACLs

use_backend pool_multiple if url_t cookie_dimi1

# Inject a new Cookie based on ACL

rspadd Set-Cookie:\ inject1=1 if url_t

# Delete specific cookie based on ACL

reqidel ^Cookie:.*cookie_sitet= if url_test_nopersist

# Rewrite GET without "/app1"

acl app1 path_beg -i /app1

reqirep ^GET\ /app1/(.*)\ HTTP/(.*)  GET\ /\1\ HTTP/\2 if app1

Bayu Wibowo | VCIX6-DCV/NV
Author of VMware NSX Cookbook http://bit.ly/NSXCookbook
https://github.com/bayupw/PowerNSX-Scripts
https://nz.linkedin.com/in/bayupw | twitter @bayupw

View solution in original post

0 Kudos
3 Replies
bayupw
Leadership
Leadership
‎08-27-2020 01:36 PM
Jump to solution

You can take a look at this slide: NSX-v 6.4 - Load Balancing ToI

slide #76

The pool defined in the Virtual Server would be something else.

Do you do any HTTPS offload or anything? What's the HTTPS settings on LB and on Server?

pastedImage_2.png

# Check if host is "app1.xyz.com" (case insensitive)

acl host_app1 hdr(Host) -i app1.xyz.com

# Check if host is "app2.xyz.com" (case insensitive)

acl host_app2 hdr(Host) -i app2.xyz.com

# Check if host is "app3*" (case insensitive)

acl host_any_app3 hdr_beg(host) -i app3

# Use specific pool for each hostname

use_backend pool_app1 if host_app1

use_backend pool_app2 if host_app2

use_backend pool_app3 if host_any_app3

#for everything else, use the pool defined in the Virtual Server

#Some other random examples of AppRules

# Some ACLs to check URL from Client request

acl url_a path_beg -i /a

acl url_t path_beg -i /t

acl url_test_nopersist path -i /test_nopersist.php

# Some ACLs to Cookie from Client request

acl cookie_dimi1 hdr_sub(cookie) dimi1=1

acl cookie_sitet hdr_sub(cookie) cookie_sitet

# Select special LB_pool based on ACL

use_backend pool_vipa if url_a

use_backend pool_vipt if url_t

use_backend pool_cookie1 if cookie_dimi1

# Select special LB_pool based on multiple ACLs

use_backend pool_multiple if url_t cookie_dimi1

# Inject a new Cookie based on ACL

rspadd Set-Cookie:\ inject1=1 if url_t

# Delete specific cookie based on ACL

reqidel ^Cookie:.*cookie_sitet= if url_test_nopersist

# Rewrite GET without "/app1"

acl app1 path_beg -i /app1

reqirep ^GET\ /app1/(.*)\ HTTP/(.*)  GET\ /\1\ HTTP/\2 if app1

Bayu Wibowo | VCIX6-DCV/NV
Author of VMware NSX Cookbook http://bit.ly/NSXCookbook
https://github.com/bayupw/PowerNSX-Scripts
https://nz.linkedin.com/in/bayupw | twitter @bayupw
0 Kudos
s57
Contributor
Contributor
‎08-27-2020 05:23 PM
Jump to solution

Thanks for the info and the links.  Looking through all this documentation, it seems like this is almost exactly what I want to do:  https://vxsan.com/multi-backend-ssl-passthrough-loadbalancing-with-nsx/

I'm using SSL passthrough also, so this appears to be just what I want to accomplish.  i setup my application rule exactly like on this page -- only replacing pool and host names -- but it's still not working.  If I use a default pool, it works, so I know there's nothing wrong with the pool configuration -- but for whatever reason this rule is not doing it.

tcp-request inspect-delay 5s

tcp-request content accept if { req_ssl_hello_type 1 }

tcp-request content reject

use_backend HTTPS_pt_app1 if { req_ssl_sni -i app1.gslb.int.vxsan.com }

use_backend HTTPS_pt_app2 if { req_ssl_sni -i app2.gslb.int.vxsan.com }

0 Kudos
s57
Contributor
Contributor
‎08-27-2020 06:40 PM
Jump to solution

I think I found the issue -- looks like there's a bug in NSX 6.4.6:  VMware Knowledge Base

After I edited the file as noted in the kb, it worked instantly!  🙂  Thanks for ultimately getting me pointed in the right direction.