客户端---LB---实服务器
设备LB基于URL做七层负载,客户端请求来的流量先请求带有testzzwxyURL的域名,然后通过后再跳转请求带有ish URL的域名,测试时发现客户端无法访问成功。
主要地址如下:
虚服务地址:192.140.203.12
SNAT地址:192.140.203.12
testzzwxy实服务器地址:192.141.83.3 8081
ish实服务器地址:192.141.8.73 8081 192.141.8.74 8081
LB主要配置如下:
#
virtual-server gjjzzgrwsyw type http
port 443
virtual ip address 192.140.203.12
parameter http pp-gjj
lb-policy gjj_zzgrwsyw
sticky COOKIE1
ssl-server-policy gjj-20221221
route-advertisement enable
service enable
#
parameter-profile pp-gjj type http
rebalance per-request
#
sticky-group COOKIE1 type http-COOKIE
COOKIE insert
check all-packet
#
loadbalance policy gjj_zzgrwsyw type http
class gjj_zzgrwsyw_ish action https-upgrade
class gjj_zzgrwsyw_testzzwx action gjjxcx_testzzwx
#
loadbalance class gjj_zzgrwsyw_ish type http match-any
match 1 url ish
#
loadbalance class gjj_zzgrwsyw_testzzwx type http match-any
match 1 url testzzwx
#
loadbalance action gjjxcx_testzzwx type http
server-farm gjjxcx_testzzwx sticky COOKIE1
header insert both name x-forwarded-for value %is
#
loadbalance action https-upgrade type http
server-farm gjjzzgrwsyw_sf sticky COOKIE1
header insert both name x-forwarded-for value %is
header insert response name content-security-policy value upgrade-insecure-requests
#
server-farm gjjxcx_testzzwx
predictor random
snat-pool gjjzzgrwsyw_snat
probe t1
success-criteria at-least 1
real-server gjjxcx_192.141.83.3_8081_testzzwx port 8081
success-criteria at-least 1
probe t1
#
real-server gjjxcx_192.141.83.3_8081_testzzwx
ip address 192.141.83.3
port 8081
probe t1
success-criteria at-least 1
#
server-farm gjjzzgrwsyw_sf
predictor hash address source
snat-pool gjjzzgrwsyw_snat
probe t1
#
real-server gjjzzgrwsyw_192.141.80.73_8081
ip address 192.141.80.73
port 8081
server-farm gjjzzgrwsyw_sf
#
real-server gjjzzgrwsyw_192.141.80.74_8081
ip address 192.141.80.74
port 8081
server-farm gjjzzgrwsyw_sf
#
通过再LB设备上抓包,发现LB七层负载代理请求时,针对testzzwxy URL的域名请求,设备可以正常转发到实服务器192.141.83.3 8081服务上,后续的域名跳转到ish后,设备依旧往192.141.83.3上负载,而不是向192.141.8.73/74上负载,导致服务器侧回复了404无效请求文件报错。
根据抓包定位问题出现在这个地方,针对这种二次跳转域名,并且域名服务器地址或者端口不同的业务模型,需要开启逐请求转发,即每来一个报文设备就重新根据LB policy策略进行负载调度。查看配置中是配置了并且调用了模版参数:
#
virtual-server gjjzzgrwsyw type http
port 443
virtual ip address 192.140.203.12
parameter http pp-gjj
lb-policy gjj_zzgrwsyw
sticky COOKIE1
ssl-server-policy gjj-20221221
route-advertisement enable
service enable
#
parameter-profile pp-gjj type http
rebalance per-request
#
正常情况下调用了逐请求后,这种业务模型会重新负载到对应的域名服务器上请求报文,但是现场配置中在虚服务下调用了持续性组,虚服务下调度的持续性优先级最高,过来的流量匹配了持续性组后,就不会继续匹配lb-policy,所以导致后续跳转的ish域名请求不会负载到正确的实服务器上。
#
virtual-server gjjzzgrwsyw type http
port 443
virtual ip address 192.140.203.12
parameter http pp-gjj
lb-policy gjj_zzgrwsyw
sticky COOKIE1
ssl-server-policy gjj-20221221
route-advertisement enable
service enable
#
sticky-group COOKIE1 type http-COOKIE
COOKIE insert
check all-packet
#
解决方案是取消虚服务下调用的持续性组
#
virtual-server gjjzzgrwsyw type http
port 443
virtual ip address 192.140.203.12
parameter http pp-gjj
lb-policy gjj_zzgrwsyw
sticky COOKIE1 undo掉
ssl-server-policy gjj-20221221
route-advertisement enable
service enable
#
如果客户又持续性组的需求,可以在负载动作中进行调用,例如:
#
loadbalance action gjjxcx_testzzwx type http
server-farm gjjxcx_testzzwx sticky COOKIE1
header insert both name x-forwarded-for value %is
#
loadbalance action https-upgrade type http
server-farm gjjzzgrwsyw_sf sticky COOKIE1
header insert both name x-forwarded-for value %is
header insert response name content-security-policy value upgrade-insecure-requests
#
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作