Jump to content
Welcome to our new Citrix community!

Need vserver to listen on 1000 non contiguous ports


Ryan LEWKOWICZ

Recommended Posts

We're doing some interesting legacy migrations and part of this is that the old system used service groups and could pass back to a server listening on any port. SSL termination happened on those ports. 

In the new system, I can only pass back to 80 but I need all those same ports to listen for http and https. I run into string limits trying to do 1k port listen policies. Any syntax tips and tricks to make this easier?

Link to comment
Share on other sites

You should be able to use named expressions in the listen policies, so group related ports into a named advanced expresssion and then compose your listen policy with these to get around character limits.

 

add policy expression exp_portrange1 'client.tcp.dstport.between(80,88) || client.tcp.dstport.eq(90) || ...)'

add policy expression exp_portrange2 <expression>

 

Then in your listen policy just reference the named expressions as:

exp_portrange1 || exp_portrange2 || <other>

 

Link to comment
Share on other sites

On 3/21/2019 at 0:41 PM, Rhonda Rowland1709152125 said:

You should be able to use named expressions in the listen policies, so group related ports into a named advanced expresssion and then compose your listen policy with these to get around character limits.

 

add policy expression exp_portrange1 'client.tcp.dstport.between(80,88) || client.tcp.dstport.eq(90) || ...)'

add policy expression exp_portrange2 <expression>

 

Then in your listen policy just reference the named expressions as:

exp_portrange1 || exp_portrange2 || <other>

 


This works, as long as I don't do a port type of http. It as to be ANY proto, ANY port, But then my url rewrite stops working. Is there some sort of client.http.dstport.between(80,88)?

Link to comment
Share on other sites

You should be able to create your vserver of type HTTP:*

unless you are on older builds. Which build are you on?

 

Then you can use your HTTP rewrite policies ANd your listen policies to constrain the port.

there is no client.http object. Ports are either TCP or UDP based. The vserver traffic type determines whether your vserver is web-based or not; which affects whether you are doing http rewrites or tcp rewrites.

 

 

Link to comment
Share on other sites

EDIT: I'm marking this as the solution for now, but there may be a better one pending response. 

 

On 3/22/2019 at 6:46 PM, Rhonda Rowland1709152125 said:

You should be able to create your vserver of type HTTP:*

unless you are on older builds. Which build are you on?

 

Then you can use your HTTP rewrite policies ANd your listen policies to constrain the port.

there is no client.http object. Ports are either TCP or UDP based. The vserver traffic type determines whether your vserver is web-based or not; which affects whether you are doing http rewrites or tcp rewrites.

 

 

 

I'm on version 12. I also needed to listen on SSL on some of these ports. I couldn't do one vip and * on both http and ssl (so it seemed). Too with the policies, it just seemed to not work. It was kinda weird. But if I wasn't using the http/ssl protocols, the rule rewrites wouldn't work

My final solution is unfortunately 2k total vservers bound to one vip. For anyone that's wondering, the work for you here:

I'll do a quick frame of the commands although there's a bit more than this

## I like these for testing
# clear ns config -force  full
# set system user nsroot -timeout 99999999
# add dns nameServer YOURNS
# add nsip YOURSNIP 255.255.255.0 -type SNIP

#Feature enablement
enable ns feature LB REWRITE RESPONDER SSL

#I import all my ssl stuff:
import ssl certFile gridcert MYCERTURL
import ssl keyfile gridkey MYKEYURL
add ssl certKey gridcertkey -cert gridcert -key gridkey

#add a bunch of servers
add server np-gorouter7 IP
add server np-gorouter6 IP
add server np-gorouter5 IP
add server np-gorouter4 IP
add server np-gorouter3 IP
add server np-gorouter2 IP
add server np-gorouter1 IP
add server np-gorouter8 IP

#create a set of service groups

add serviceGroup lb-sg-np-80-v1-grid[1-5] HTTP -maxClient 0 -maxReq 0 -cacheable YES -cip DISABLED -usip NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA YES -TCPB NO -CMP NO -downStateFlush DISABLED
bind serviceGroup lb-sg-np-80-v1-grid1 np-gorouter[1-8] 80
bind serviceGroup lb-sg-np-80-v1-grid2 np-gorouter[1-8] 80
bind serviceGroup lb-sg-np-80-v1-grid3 np-gorouter[1-8] 80
bind serviceGroup lb-sg-np-80-v1-grid4 np-gorouter[1-8] 80
bind serviceGroup lb-sg-np-80-v1-grid5 np-gorouter[1-8] 80

#and another
add serviceGroup lb-sg-np-443-v1-grid[1-5] HTTP -maxClient 0 -maxReq 0 -cacheable YES -cip DISABLED -usip NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA YES -TCPB NO -CMP NO -downStateFlush DISABLED
bind serviceGroup lb-sg-np-443-v1-grid1 np-gorouter[1-8] 80
bind serviceGroup lb-sg-np-443-v1-grid2 np-gorouter[1-8] 80
bind serviceGroup lb-sg-np-443-v1-grid3 np-gorouter[1-8] 80
bind serviceGroup lb-sg-np-443-v1-grid4 np-gorouter[1-8] 80
bind serviceGroup lb-sg-np-443-v1-grid5 np-gorouter[1-8] 80

###Now onto all the vservers

For the vservers, I just have a new line delimited list of port numbers. To generate the commands I do this:

for i in `cat https_sorted`; do echo add lb vserver lb-vs-np-$i-v1-grid SSL IP $i -persistenceType NONE -cltTimeout 180 >> addhttpsvserver; done

#Then we'll create our binds

COUNT=1
ROUTER=1

for i in `cat https_sorted`; do
  if [ $COUNT -gt 250 ]; then
    ((ROUTER++))
    COUNT=1
  fi
  ((COUNT++))
  echo "bind lb vserver lb-vs-np-$i-v1-grid lb-sg-np-443-v1-grid$ROUTER">> bindhttpsvserver;
done

#then we'll bind our ssl's

for i in `cat https_sorted`; do echo bind ssl vserver lb-vs-np-$i-v1-grid -certkeyName gridcertkey >> bindssl; done

#If you're on mac, cat these files into pbcopy and they can paste right into the netscaler

So this is one vip, 250 vservers to each sg. This is gross, but if I'm reading this:
https://discussions.citrix.com/topic/389392-load-balancing-mixed-protocol-services/

Properly, this is the best bet. I need one vip and on that vip port/protocol dependently respond to a request.

I should add, thats all https, but you can follow suit with http

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...