NetScaler - Reverse Proxy

[Anandh Chandrabose1709158945]

Hi  ADC Experts,

 

We have a request to create a reverse proxy (port 443) from our internal Server to two servers in DMZ .

The backend service should work as https://lbVIP/server01 or https://lbVIP/Server02

 

Please let me know if we can forward the requests to backend service as mentioned above.

 

Awaiting for your valuable response.

[Paul Cross]

You can create a service group with both servers in it and bind it to an SSL load balanced vserver. You can set the load balanced method as required, ie round robin. 

 

Not sure what you mean by https://lbVIP/server01 or https://lbVIP/Server02. If you tried to browser to that you would end up looking for the virtual directory server01 or server02 on which ever server you are load balanced to.

[Diego Oliveira]

Hi

Check if the following  article helps:

https://docs.citrix.com/en-us/netscaler/12/load-balancing/load-balancing-setup.html

[Rhonda Rowland1709152125]

If you are load balancing to server1 and server2, then you have a load balancing config.

 

If you are trying to change request URL paths indicate which server you are going to, then you may be doing rewrites and or content switching.  This would require a little bit more info of what determines which server traffic is being directed too or why you need the server name inserted into the path (there might be a better way to solve this problem that still relies on load balancing as opposed to content switching and/or rewrites). 

 

If you can clarify your requirements we can give you a better answer.

[Paul Blitz]

If you wish to loadbalance, and then as a result of which backend service is selected, do a differential rewrite - then this will NOT work.... because the rewrite decision is taken BEFORE the loadbalancing decision is taken.

 

The only way around this is to use a content switch to do some sort of load-balancing.... the CS decision happens before the rewrite, so you bind a different rewrite policy to the 2 bound loadbalancers

[Anandh Chandrabose1709158945]

Hi Folks,

 

We have 2 servers : Server01 and Server02

 

We need to create a NetScaler VIP that can send traffic to either depending upon what user request in the URL.

 

If the user types the url https://VIP/server01 then traffic will go to first server .  If the url is  https://VIP/server02 then traffic should go to the second server.

[Rhonda Rowland1709152125]

Are there other requests that won't contains /server01 or /server02 or will every request contain these values?

 

Your best bet would be content switching, but there is a slight chance you could do something like token load balancing or use  a customserverid based on the path.  But I'd do the content switching first as more flexible.

 

Here's a basic example

# prep the lb tier...

add service svc_server1 http <ip1> 80

add service svc_server2 http <ip2> 80

add lb vserver lb_vsrv_s1 http 0.0.0.0 0

bind lb vserver lb_vsrv_s1 svc_server1

add lb vserver lb_vsrv_s2 http 0.0.0.0 0

bind lb vserver lb_vsrv_s2 svc_server2

 

# create cs vserver and policies

add cs vserver cs_vsrv_demo http <vip1> 80

# there are multiple ways to create cs policies with or without actions, i'm just going for a simple method here

add cs policy cs_pol_toserver1 -rule "http.req.url.path.set_text_mode(ignorecase).starts_with("/server01")

add cs policy cs_pol_toserver2 -rule "http.req.url.path.set_text_mode(ignorecase).starts_with("/server02")

bind cs vserver cs_vsrv_demo -policy cs_pol_toserver1 -targetlbvserver lb_vsrv_s1

bind cs vserver cs_vsrv_demo -policy cs_pol_toserver1 -targetlbvserver lb_vsrv_s2

bind cs vserver cs_vsrv_demo -lbvserver <set default lb vserver for other traffic> # this lb vserver not created above

 

[Thomas Kötzing1709151506]

Sorry Rowland but that is NOT as requested a reverse proxy by definition. It will wok but connnections are direct going to the backend servers without actually proxy them!

 

He need to create two LB's in reverse mode and than create a reverse cache redirection vserver. Next creat map policies and cache polices and bind them to the cache redirection vserver and will then act as reverse proxy

[Rhonda Rowland1709152125]

The traffic goes via the CS vserver to the lb vservers which direct to specific services.  There is NO direct connection to backend.  As clients connect to CS vserver VIP and the NS directs traffic to backend as man in the middle.    (Admittedly, I used HTTP in the example, because it was just a basic outline. Change it to SSL:443 and add a cert and you have SSL handling on the cs/lb/services.)

See here:  https://discussions.citrix.com/topic/402138-netscaler-reverse-proxy/

Client --> cs vip --> lb vserver || <snip> --> <destination server>

 

But if that's still not what you are going for; sorry for the misunderstanding. Feel free to try to clarify what traffic flow you want in your reverse proxy and I'm sure someone can try to give you a better answer.  If you need path or URL rewrites too, that is something separate but can be added on.

[Thomas Kötzing1709151506]

A cache redirection server in reverse mode terminates the traffic and then requests to the backend server via cache or origin. The content switch is forwarding the traffic to the backend systems and allways directly (no caching), with or without ssl doesn't matter.

 

[Paul Cross]

A CS doesn't just forward traffic. In the example Rhonda gave the client connection is terminated at the NetScaler. At this point if it was an SSL VIP then the NetScaler would perform SSL Offload and decrypt the traffic then any policies bound the the CS would be evaluated. These policies could include AppExpert, Authentication, etc. Once traffic has been directed to the appropriate LB the NetScaler would then open it's own connection from its SNIP to the backend service.

 

If you setup a reverse proxy and the virtual server was configured to use SSL_Bridge that would just send the data straight to the backend servers but that's not what's happening.

 

I see no requirement in the original post that would require a cache redirection server.

[Thomas Kötzing1709151506]

Guys, relax I don't care about fine details and sure you can termiate with ssl offload. SSL_Bridge is not requited, I just left a customer were I have actually cofigured that.

 

Anyway, He asked "We have a request to create a reverse proxy" and there a Things you only can do with a reverse Proxy and not with a CS but only hekows the reqirements. 

[Paul Blitz]

According to Wikipedia (and which echos the description on many other sites):

"In computer networks, a reverse proxy is a type of proxy server that retrieves resources on behalf of a client from one or more servers. These resources are then returned to the client, appearing as if they originated from the proxy server itself. Unlike a forward proxy, which is an intermediary for its associated clients to contact any server, a reverse proxy is an intermediary for its associated servers to be contacted by any client. In other words, a proxy acts on behalf of the client(s), while a reverse proxy acts on behalf of the server(s)."

 

A Content-Switching VServer absolutely meets that description, just as a Load-Balancing Vserver does. 

 

A proxy implies two separate (usually TCP) connections, one client-side, one server-side, and we have that here. Yes, Netscaler can also do loads of additional clever stuff, but when you LB or CS, it's a reverse proxy.

 

(Netscaler ALSO has the ability (different feature!) to support NAT. That is a 1-to-1 mapping of incoming connection to server, and it is NOT a proxy.)

 

What "things" does your client claim that a "reverse proxy" can do, that the CS can not?

[Thomas Kötzing1709151506]

Ttile of this thread: "NetScaler - Reverse Proxy"

 

Configure reverse proxy redirection

https://docs.citrix.com/en-us/citrix-adc/13/citrix-adc-cache-redirection-gen-wrapper-10-con/cache-redirection-config/configure-reverse-proxy-redirection.html

 

Again, I didn't say you cannot do it with LB/CS and would be a proxy for the backend.