Jump to content
Welcome to our new Citrix community!

Binding URL based Content Switching policy to CS Server Citrix MPX8930


Recommended Posts

Hi all,

Assignment is to have one IP on NS which will redirect traffic based on URL (e.g. www.abc.com/xxx,  www.abc.com),

I've created  2 policy binding to the CS vServer but i did not hit both the policy, just 1 of them hits in the CS. Policy 1 when client go to www.abc.com/xxx will redirect client requests to vServer A, Policy 2 is to redirect client requests to vServer B when client go to www.abc.com (priority policy 1 < 2).

If i bind 2 policy in CS just 1 of them hit, this is expression of 2 policy:

Policy 1:

HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS("/xxx")

Policy 2:

HTTP.REQ.IS_VALID

 

 

Thanks for your help.!

Link to comment
Share on other sites

16 hours ago, Carl Stalhood1709151912 said:

For 1, I would do STARTSWITH instead of CONTAINS.

 

For 2, I would unbind the policy and instead bind it as the Content Switch's Default Virtual Server. Or you can change the expression to HTTP.REQ.HOSTNAME.EQ("www.abc.com")

Thank you  very much for reply me,

I changed the expression like your cmt (change the expression of 2 polices or bind policy 1 and bind Default Virtual Server) but it still not work,  just 1 of 2 policies hit in the CS.

Link to comment
Share on other sites

You might want to share your policy config and test URLs, you can still obscure them but there might be something in the binding or the details you aren't sharing that is throwing off your results.

show ns runningconfing | grep <cs vserver name> -i

Also note, if your cs policies have ACTIONs or if you are specifying destinations in the BINDINGS (target lb vserver)

 

What URLS are you testing against the policies?

A policy is only going to match the first policy match it finds. So, if your traffic overlaps with policy at priority 100 it may not hit the later policy or the default destination.

 

For example: for the following 4 sample URLs:

[1] http://www.abc.com/xxx

[2] http://www.abc.com/xxx/otherstuff.asp?a1=b1

[3] http://www.abc.com/

[4] http://www.abc.com/yyy/

 

NOTE: priority 100 is MORE IMPORTANT than Priority 200; lower the index, higher the importance.

If you had a cs vserver with the following policy bindings and/default path:

cs_pol1:  http.req.url.path.set_text_mode(ignorecase).startswith("/xxx")                       Priority 100

cs_pol2:  http.req.url.path.set_text_mode(ignorecase).startswith("/xxx/otherstuff")   Priority 200

cs_pol3:  http.req.url.path.set_text_mode(ignorecase).startswith("/yyy")                        Priority 300

cs_pol4:  http.req.hostname.set_text_mode(ignorecase).eq("abc.demo.com")              Priority 400

 

Example [1] will match on cs_pol1 (first match, higher priority)

Example [2] will also match on cs_pol2 (first match, higher priority)

Example [3]  will match on cs_pol4 (no other paths match, but hostname matches in this set)

Exampl [4] will match on cs_pol3

 

Link to comment
Share on other sites

34 minutes ago, Rhonda Rowland1709152125 said:

You might want to share your policy config and test URLs, you can still obscure them but there might be something in the binding or the details you aren't sharing that is throwing off your results.

show ns runningconfing | grep <cs vserver name> -i

Also note, if your cs policies have ACTIONs or if you are specifying destinations in the BINDINGS (target lb vserver)

 

What URLS are you testing against the policies?

A policy is only going to match the first policy match it finds. So, if your traffic overlaps with policy at priority 100 it may not hit the later policy or the default destination.

 

For example: for the following 4 sample URLs:

[1] http://www.abc.com/xxx

[2] http://www.abc.com/xxx/otherstuff.asp?a1=b1

[3] http://www.abc.com/

[4] http://www.abc.com/yyy/

 

NOTE: priority 100 is MORE IMPORTANT than Priority 200; lower the index, higher the importance.

If you had a cs vserver with the following policy bindings and/default path:

cs_pol1:  http.req.url.path.set_text_mode(ignorecase).startswith("/xxx")                       Priority 100

cs_pol2:  http.req.url.path.set_text_mode(ignorecase).startswith("/xxx/otherstuff")   Priority 200

cs_pol3:  http.req.url.path.set_text_mode(ignorecase).startswith("/yyy")                        Priority 300

cs_pol4:  http.req.hostname.set_text_mode(ignorecase).eq("abc.demo.com")              Priority 400

 

Example [1] will match on cs_pol1 (first match, higher priority)

Example [2] will also match on cs_pol2 (first match, higher priority)

Example [3]  will match on cs_pol4 (no other paths match, but hostname matches in this set)

Exampl [4] will match on cs_pol3

 

 

Thank you very much Rowland,

just type show ns runningconfing | grep <cs vserver name> -i and it shows nothing.

My 2 policies is like your cmt but it doesn't match all and i dont know the reason. There are 2 URLS:

[1] http://10.20.21.170/ocsp

[2] http://10.20.21.170

 

pol1: HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).STARTSWITH("/ocsp")    action target to vServer A                Priority: 100

pol2:  http.req.hostname.set_text_mode(ignorecase).eq("10.20.21.170")          action target to vServer B               Priority: 200

 

When i bind 2 policies just pol2 working. Pls help me.

 

 

 

image.png

Link to comment
Share on other sites

You are in shell not the cli.

Show ns runningconfig must be run from the CLI; same context as when you first connect to ssh.

If you enter: shell you are interacting with the file system and the BSD shell. cli commands don't work from this level.

 

Try changing your policy 1 to HTTP.REQ.URL.PATH.SET_TEXT_MODE(IGNORECASE).STARTSWITH("/ocsp")

 

Also there are some CS policy parameters that can change the evaluation from policy/expression to URL which would change the processing order.

So, once we see the cs vserver properties, will have more of an idea of what's going on.

If you are in GUI: this will be under the cs vserver properties, i think under "traffic settings". But I could be off.

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...