I am configuring Nginx to sit in front of several IIS web servers to do
load balancing and SSL signing. THe IIS application is supplied by an
outside vendor. I have the load balancing and SSL signing working,
with
one exception.
The login page doesn't work. :(
When the vendor hosts this application, they use F5 hardware for SSP and
load balancing. They gave me thisrule that they use in the F5 that I
need
to translate to nginx-ese:
when HTTP_REQUEST {
HTTP::header remove SWSSLHDR
HTTP::header insert SWSSLHDR [TCP::local_port]
}
Is anyone here familiar w/ F5 hardwaare that can help translate this?
--
William Brown
Core Hosted Application Technical Team and Messaging Team
Technology Services, WNYRIC, Erie 1 BOCES
(716) 821-7285
Confidentiality Notice:
This electronic message and any attachments may contain confidential or
privileged information, and is intended only for the individual or
entity
identified above as the addressee. If you are not the addressee (or the
employee or agent responsible to deliver it to the addressee), or if
this
message has been addressed to you in error, you are hereby notified that
you may not copy, forward, disclose or use any part of this message or
any
attachments. Please notify the sender immediately by return e-mail or
telephone and delete this message from your system.
on 2013-03-19 15:14
on 2013-03-19 15:44
The code does the following: 1. remove an HTTP header named "SWSSLHDR" 2. replaces it with SWSSLHDR: port, where the port is the local port of the "current context's TCP connection", presumably the port that your F5 virtual server is listening on. This is presumably to separate SSL and non SSL traffic , or to allow for load balancing across websites that are hosted on ports 8080, 8000 or other nonstandard ports. One thought- are you configuring the nginx server to terminate SSL and then proxy to a single upstream endpoint? Is this the same topology as the F5 one? Is the entire site SSL or just the login portions? Peter
on 2013-03-19 16:12
On Tue, Mar 19, 2013 at 10:43 PM, Peter Booth <Peter_Booth@s5a.com> wrote: > The code does the following: > > 1. remove an HTTP header named "SWSSLHDR" > 2. replaces it with SWSSLHDR: port, where the port is the local port of > the "current context's TCP connection", presumably the port that your F5 > virtual server is listening on. > "when HTTP_REQUEST" is actually client-side, so the port in question would be the port on the backend server that it proxies to. Seems kind of strange to even pass this info along, unless somehow your backends are all listening on different ports. Whatever the case, this is what it actually means. -jf
on 2013-03-19 16:43
Peter Booth wrote on 03/19/2013 10:43:12 AM: > The code does the following: > > 1. remove an HTTP header named "SWSSLHDR" > 2. replaces it with SWSSLHDR: port, where the port is the local port of > the "current context's TCP connection", presumably the port that your F5 > virtual server is listening on. I had somewhat figured that out. It isn't clear from the notes I got from vender as to what the current context is. I'm guessing the client side, but I can test that. > This is presumably to separate SSL and non SSL traffic , or to allow for > load balancing across websites that are hosted on ports 8080, 8000 or > other nonstandard ports. > > One thought- are you configuring the nginx server to terminate SSL and > then proxy to a single upstream endpoint? Is this the same topology as > the F5 one? Is the entire site SSL or just the login portions? Presently, we are using an Centos box with Piranha for load balancing, but we wish to implement SSL. There are about 50 sites hosted with three upstream servers. I don't want to tie up 150 IP addresses for SSL on them, so I want to terminate the SSL connection at the nginx server and use HTTP on port 80 to connect from nginx to IIS. The F5 information is just what the IIS application vendor says they use in their configuration. We may be buying an F5 in the future, but I need SSL in the short term. Would I add to the location section something like this: more_set_input_headers -r SWSSLHDR $server_port If $server_port isn't correct, I could try $remote_port. Are there any other port variables that I've missed? From my reading of the F5 docs, the "when HTTP_REQUEST" indicates this is only processed on requests received from clients. Since they are always removing the SWSSLHDR from incoming requests, then adding it again, I think using the -r option is sensible and only adding it if it exists. Now I'm off to rebuild nginx with HttpHeadersMoreModule. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system.
on 2013-03-19 17:55
You might find that you get most traction with open resty its an nginx bundle project that includes ngx_lua, HttpHeadersMoreModule and a bunch of other mopdules that are great for transforming requests and implementing F5-like logic. I have been using it for six months and its saved me a bunch of time and helped me get weird stuff done. The openresty mailing list is very responsive.
on 2013-03-19 19:05
peter wrote on 03/19/2013 01:54:20 PM: > You might find that you get most traction with open resty ? its an > nginx bundle project that includes ngx_lua, > HttpHeadersMoreModule and a bunch of other mopdules that are great > for transforming requests > and implementing F5-like logic. I have been using it for six months > and its saved me a bunch of time > and helped me get weird stuff done. The openresty mailing list is > very responsive. Thank you for the suggestion. OpenResty certainly looks like an interesting project adding lots of additional features/modules to the base nginx. My requirements are fairly limited, so I don't need all the development features it offers. If I get stymied with the base nginx plus specific modules (ie. headers-more-nginx-module-master) then I will try OpenResty. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system.
on 2013-03-20 08:06
On Mar 19, 2013, at 19:42 , WBrown@e1b.org wrote: > vender as to what the current context is. I'm guessing the client side, > Presently, we are using an Centos box with Piranha for load balancing, but > > more_set_input_headers -r SWSSLHDR $server_port proxy_set_header SWSSLHDR $server_port; -- Igor Sysoev http://nginx.com/services.html
on 2013-03-20 09:18
On Wed, Mar 20, 2013 at 3:05 PM, Igor Sysoev <igor@sysoev.ru> wrote: >> >>> the F5 one? Is the entire site SSL or just the login portions? >> >> Would I add to the location section something like this: >> >> more_set_input_headers -r SWSSLHDR $server_port > > proxy_set_header SWSSLHDR $server_port; > nice catch! But once again, because HTTP_REQUEST is client-side, so says this F5-certified engineer with reference to the docs, it should be $proxy_port instead of $server_port. -jf
on 2013-03-21 13:18
> > proxy_set_header SWSSLHDR $server_port; > > > > nice catch! But once again, because HTTP_REQUEST is client-side, so > says this F5-certified engineer with reference to the docs, it should > be $proxy_port instead of $server_port. Thanks to everyone that responded to my questions. Nginx has a great community around it! It has become clear that I need to learn more about the HTTP protocol. I am starting with the O'Reilly book "HTTP The Definitive Guide". Does anyone have other recommended reading to help my understand how HTTP operates? Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system.
Enable email notification
Enable multi-page viewPlease log in before posting. Registration is free and takes only a minute.
Existing account
(Switch to SSL-encrypted connection)
NEW: Do you have a Google/GoogleMail or Yahoo account? No registration required!
Log in with Google account | Log in with Yahoo account
Log in with Google account | Log in with Yahoo account
No account? Register here.