ACE URL Redirects

Sometimes a web applications virtual directory can change. You may have many rservers behind your load-balancer that would require a configuration change to send the redirect. In this case, it’s easier to configure the redirect right on the ACE instead of the rservers web-server (IIS, Apache, etc.) instead.

So lets say your website is http://site.domain.com/oldsite and the application team built a new app and wants everyone to be redirected to http://site.domain.com/newsite

First you need to define the redirect:

rserver redirect REDIRECT1
  webhost-redirection http://%h/newsite 301
    inservice

The %h above inserts the host header from the request, which in our case would have been site.domain.com. You can also use %p which inserts the full URL path string from the request. This most likely wont be the one you use.

  • %h—Inserts the hostname from the request Host header
  • %p—Inserts the URL path string from the request

The 301 means the resource has been moved permanently. If it’s just a temporary change, you can use 302. Sometimes admins just use 302 because it’s the default.

  • 301—The requested resource has been moved permanently. For future references to this resource, the client should use one of the returned URLs.
  • 302—(Default) The requested resource has been found but has been moved temporarily to another location. For future references to this resource, the client should continue to use the request URI because the resource may be moved to other locations occasionally.

Now your redirection rule is configured. You need to assign it to a serverfarm. Instead of a host serverfarm, you want to define a redirect serverfarm.

serverfarm redirect FARM-REDIRECT
  rserver REDIRECT1
    inservice

So you’ve got a serverfarm and a rserver redirection configuration. Now it’s time to define the classmap that will match the virtual directory the user requests.

In our example the user is going to /oldsite; in many cases you already have this configured–since we are doing a redirection to begin with.

class-map type http loadbalance match-any CLASS-MAP-APPS
  5 match http url /oldsite.*
  6 match http url /hello.*
  7 match http url /osiris.*

So we want to write a new classmap that will match only the virtual directory we want users to be redirected from. This way we don’t mess up any of the current virtual-directory matches we have defined.

class-map type http loadbalance match-any CLASS-MAP-REDIRECT
  5 match http url /oldsite.*

Now we’re pretty much ready to go. Add the new class-map to your policy-map:

policy-map type loadbalance first-match MY-POLICY
  class CLASS-MAP-APPS
    serverfarm FARM-APPS
  class CLASS-MAP-REDIRECT
    serverfarm FARM-REDIRECT

Now everything is configured for the new redirection. BUT the old class map virtual directory match is still there. We need to remove it to make our changes go into place. This makes our changes immediate.

class-map type http loadbalance match-any CLASS-MAP-APPS
  no 5 match http url /oldsite.*

Now test your site! I like to use Chrome with it’s developer tools to capture each request. You should see the initial request, then the newsite coming back with a 301.

ACE URL Redirects

URL Rewrite for SSL Termination

Lets say you are planning on doing SSL termination on your ACE load balancer. This involves the SSL transactions being handled by the front-end of the ACE instead of your server. This speeds things up considerably for the backend servers, offloading SSL processing to the ACE.

In most cases your applications will have at least a few redirects written in them. If your backend server is using cleartext (http) only, the redirects will begin with http:// thus directing your users to a port that isn’t listening externally. The ACE can look for these redirects and rewrite them to include the https://

Here’s how:

action-list type modify http REWRITE
   ssl url rewrite location "website\.domain\.com"

This will take any redirects sent from your server on http://website.domain.com and change them to https://website.domain.com.

Once you have your rewrite command written, all you have to do is assign it to a class-map.

class MyClass
   serverfarm MyServerfarm
   action REWRITE
URL Rewrite for SSL Termination

How to create an SSL Monitoring Server

If you have SSL certificates on many servers across the network it can sometimes be difficult to manage expiration dates for all the certs. There is a UNIX utility called “ssl-cert-check” that can scan servers on any port and notify you if they are near expiration.
This how-to is based on Cygwin instead of a *nix distro. The steps should be the same, but there may be some differences.
1. Install Cygwin (skip to step 3 if you are running a Linux host)
2. Download from the Cygwin website and make sure OpenSSL, mail, cygrunsrv, cron and vim are installed.
3. Once Cygwin is installed you need to download the ssl-check software
  $ wget http://prefetch.net/code/ssl-cert-check
  $ chmod 775 ssl-cert-check
  $ mv ssl-cert-check /bin
4. Test that the tool is working
  $ cd /bin
  $ ssl-cert-check -s x.x.x.x -p 443
5. Once you know the tool is working you can start customizing it to fit your needs. I needed to scan a large group of servers on port 443 and email me if any of them were within 14 days of expiring.
6. I created a text file with the hosts that I needed to scan and the ports that certificates were bound to.
  $ vi ssl-servers

  www.server.com 443
  192.168.0.22 443
  example.com 443
8. Once you have the file you can use ssl-cert-check to scan using the file. Test to make sure the file is working.
$ ssl-cert-check -i -f ssl-servers
Host                                Issuer            Status   Expires     Days Left
----------------------------------- ----------------- -------- ----------- ---------
www.server.com:443                  Comodo Limited    Valid    May 23 2012 218
192.168.0.22:443                    Equifax Secure In Valid    Jun 20 2012 246
example.com:443                     Thawte Consulting Valid    Jun 7 2012  233
9. Now that I know that I can scan against a list of servers, I want to be notified by email.
10. I want to test to make sure that email is installed and that my host can send out an email properly.
$ cd /usr/bin
$ mail -f MYSERVER@domain.com -s Test -r MAILSERVER user.name@domain.com
11. In order for Cygwin to be able to automatically send emails you need to modify a few things. First create a symbolic link pointing to the proper mail binary.
$ ln -s /bin/mail /usr/lib/sendmail
12. Then you need to modify the mail config file. Make sure the proper SMTP server and port is uncommented. Then add a name and email to send FROM.
$ vi /etc/email/email.conf
############################################################
# SMTP Server and Port number you use
############################################################
 SMTP_SERVER = '192.168.0.50'
 SMTP_PORT = '25'

############################################################
# If you'd rather use sendmail binary, specify it and the
# command line switches to use, here.  If you have both
# this option and SMTP_SERVER set, SMTP_SERVER will be of
# higher priority than SENDMAIL.
############################################################
SENDMAIL_BIN = '/usr/lib/sendmail -t -i'

############################################################
# Your email address: If you'd like To have your name to
# show in the from field instead of just your email address,
# then keep the format below and edit it to your email
# and name.
############################################################
MY_NAME  = 'SSL Monitoring Tool'
MY_EMAIL = 'server@domain.com'
13. Once your email configuration is finished you can test the following command which will check against a list of servers and email to the email you specify if the cert is due to expire in 60 days.
$ ssl-cert-check -a -f ssl-servers -q -x 60 -e user@domain.com
14. Install cron as a service, first right-click the Cygwin icon on the desktop and select “Run as Administrator”
$ cron-config
$ yes|ntsec smbntsec|no|enter password
15. Once cron is installed you can modify the cron tasks by running crontab -e at the command prompt
NOTE: If it’s a Windows 2008 server, chances are you might have trouble installing the cron service. If this is the case you can run any Cygwin task from the built-in Windows Scheduler service. Just save your command as a batch file and schedule it. E.g.
C:\Cygwin\bin\bash -c "./ssl-cert-check -a -q -f /bin/ssl-servers -x 14 -e userk@domain.com"
How to create an SSL Monitoring Server

MS Access – Open a Report fed by a Combo Box

Most administrators want or have a huge database with all the systems/equipment that they manage. There are a few tricks I have learned over the years for a variety of tasks in Access, this is one of them.
This code allows you to open a report by clicking on a button fed by a combo box. The user selects something, clicks a button and spits out a report based on what they pick.

Code

Private Sub openReport_Click()
If IsNull(Me.Combo0) Then
MsgBox "Please select a server."
Me.Combo0.SetFocus
Else
DoCmd.openReport "Software Installed per Device", _
acViewPreview, _
WhereCondition:="devices_name=" & _
Chr(34) & Me.Combo0 & Chr(34)
End If
End Sub

Explanation

If it’s a combo box, so only one item can be selected, the code for the button’s Click event procedure would look something like this:
Private Sub cmdReport_Click()
If IsNull(Me.cboYourComboBox) Then
MsgBox "Please select something first."
Me.cboYourComboBox.SetFocus
Else
DoCmd.OpenReport "rptYourReport", _
acViewPreview, _
WhereCondition:="SomeField=" & Me.cboYourComboBox
End If
End Sub
In the above,
cmdReport = the name of your button cboYourComboBox = the name of your combo box rptYourReport = the name of the report SomeField = the name of the field (in the report’s recordsource) that you want to filter by
The above code assumes that the field (“SomeField”) is a numeric field. If it’s a text field, then the code needs to be modified to wrap the value of the combo box quotes:
WhereCondition:=“SomeField=” & Chr(34) & Me.cboYourComboBox & Chr(34)
MS Access – Open a Report fed by a Combo Box

Disk Alignment (Server 2003)

Windows 2003 does not align MBR disks with most SAN subsystems by default. This will cause extra I/O operations, decreasing performance. To reduce extra I/O it is best to align the disk prior to using it. The following example is provided for EMC storage, but it will work for most other vendors as well.
Windows 2008 servers are aligned by default, you can skip this if you are using Server 2008.
To align the disk you need to use the “diskpart” utility.
Open a command window and run diskpart
C:\>diskpart
List the disks so you can find the one you need to align. Look for the size of the disk you just mounted.
DISKPART> list disk
Select the blank disk that you need to align
DISKPART> Select disk x
If the disk will be greater than 2TB you need to make it a GPT disk. Do this in Diskpart:
DISKPART> convert gpt
Align the disk by creating a partition with an offset.
DISKPART> create partition primary align=1024
Once the disk is aligned you can format the disk. If it is a SQL drive, the best practice unit size is 64k (vs. the default of 4096 bytes)
Disk Alignment (Server 2003)