| Real server protocol
Drop down list |
HTTP or HTTPS
|
| Real host
Input field |
Hostname or IP address of the web-server(s) Web Security Manager is proxying requests for.
|
| Port
Input |
The port number the real server is listening to.
|
| Role
Drop down list |
Define the servers role in the load balancing set.
|
| Status
Read only |
The status of the real server. enabled or disabled. |
| X (delete)
Button |
Mark the real server for deletion. The server will not be deleted until the button in the lower button bar is activated. |
| Real server CONNECT timeout (seconds)
Input field |
Max time to wait for connection to the backend web server to succeed.
|
| Real server SEND timeout
Input field |
Max time to wait for sending request to backend web server to complete.
|
| Real server READ timeout
input field |
Max time to wait for reading response from backend web server.
|
The load balancing settings control the behaviour of the Load Balancer.
| Web Security Manager COOKIE based session persistence
Check box |
When checked Web Security Manager will issue a cookie when a user first connects to the virtual host being proxied / load balanced. The cookie binds the session to the real server selected by the load balancer ensuring that the users session with the real server is not broken. This method requires that visitors have support for cookies enabled in their browser. Despite the name this feature works equally well with HTTPS and HTTP. |
| HEADER based session persistence
Check box |
When checked Web Security Manager will bind the user session to the real server based on a hash of a selected client request header. |
| Header
Input field |
The header to use for calculating load balancing hash when header based session persistence is selected.
|
| SOURCE IP based session persistence
Check box |
When checked Web Security Manager will bind the user session to the real server based on the visitors source IP. This method ensures that requests from visitors with cookie support disabled will be sent to the same server every time. To compensate for visitors changing IP address during the session (for instance because their requests are sent through different forward proxies) a mask is applied to the users source address (below). Applying a mask ensures that even if the users IP address changes the same server is selected. |
| IP mask:
Drop down list |
The mask to be applied to the visitors source ip address when calculating destination real server based on source hashing. The mask and resulting number of IP addresses within each "load balancing address chunk" is displayed in the drop down.
|
| Enable real server failover
Check box |
When checked Web Security Manager will attempt to redirect a request to another real server in case the real server to which the session is bound fails. Disabling real server failover only is effective when session persistence is enabled. If real server failover is disabled the user will receive an error message and the session will have to be restarted (usually by closing and restarting the browser). |
| Max real server failover attempts
Input field |
Maximum failover attempts in case a real server fails. This value defines how many times Web Security Manager should try other real servers in case a real server fails.
|
| Real server retry interval (seconds)
Input field |
Specifies for how long a failed real server should be kept in error state before trying to connect again.
|
Health checking checks the real (backend) servers for errors and availability. If a server is not responding correctly (as configured) it is disabled until it responds correctly again.
| Enable real server health checking
Check box |
Enable / disable health checking Default: <disabled> |
|||
| Request interval
Input field |
How often the health check daemon should check the server.
|
|||
| Request timeout
input field |
Max time to wait for real server to respond before marking the attempt as failed.
|
|||
| Error threshold Input field |
Specifies how many failed health checks should be recorded before the server is disabled.
|
|||
| Request method drop-down list |
What method should be used for health checking.
The HEAD method only checks the server response code. If the server returns 200 OK within the configured timeout the request is a success. The GET method validates the page the server returns using a checksum. If the content of the page has changed (compared to the stored checksum) the request is marked as failed.
|
|||
| Request
Input field |
The resource to request when health checking.
|
|||
| Force checksum re-generation
Check box |
When request method GET is selected, when settings are saved Web Security Manager request the configured resource on all real servers to calculate a checksum which will be stored for further health checking. If the checksum is not the same on all servers Web Security Manager will return an error and the new settings will not be saved. The checksum is only generated when things change, like when a new Request is configured or method is changed to GET. There can be situations though where it is desirable to have the checksum re-generated, for instance if the content of the request page has changed. If this option is checked the checksum will be re-generated. Default: <disabled> |
![[Note]](images/note.png)
These settings allows for inserting new headers with either a static value or with the value of different request variables.
| Enable insert request headers
Check box |
Enable/disable request headers insert. Default: <disabled> |
| Header
Input field |
The name of the request header to insert
|
| Value type
Drop down |
Specify the type of input entered in the value field.
|
| Value
Input field |
The value to insert in the new header field. Can be literal or variable.
|
The variables below can be inserted in a header and forwarded to the backend server.
- args
-
This variable is the GET parameters in request line, e.g. foo=123&bar=blahblah.
- cookie_COOKIE
-
The value of the cookie COOKIE, e.g. to forward the value of the cookie SESSID enter cookie_SESSID or cookie_sessid as match is case insensitive.
- hostname
-
Set to the hostname of the Web Security Manager node.
- http_HEADER
-
The value of the HTTP header HEADER when converted to lowercase and with dashes converted to underscores, e.g. User-Agent = http_user_agent, Referer = http_referer...
- remote_addr
-
The IP address of the client.
- remote_port
-
The port of the client.
- request_method
-
The method of request, usually GET or POST.
- request_uri
-
The original request URI as received from the client including the args.
- scheme
-
The HTTP scheme (i.e. http, https).
- server_name
-
The virtual host server name of the website proxy handling the request(i.e. www.alertlogic.com).
- server_port
-
The port of the server, to which the request arrived.
- server_protocol
-
The protocol of the request, e.g. HTTP/1.0 or HTTP/1.1.
- uri
-
The URI in the request without arguments, those are in the variable args.
These settings specify request time out, keep alive behavior. Also web application behavior is specified here.
| Add HTTP/1.1 VIA header information
Check box |
Enable/disable support for HTTP/1.1 VIA header sending information. Íf enabled, Web Security Manager will append the Via header in each forwarded request indicating to the backend server that the request if coming through a proxy server. Default: <disabled> |
| Proxy buffering enable Check box |
Proxy buffering. By default Web Security Manager buffers the response from the backend web server in order for the web server to be able to deliver the request as fast as possible no matter how slow the connection to the client is. This ensures that server resources will not be consumed by clients on slow connections. However, some applications are known to have problems with this behaviour, Comet applications for instance. To account for such problems disable proxy buffering. Default: <enabled> |
| Upstream SSL session reuse enable Check box |
SSL session reuse to backend servers. When Web Security Manager connects to a backend server over SSL, the server creates a session for that connection. This session
ID is sent as a part of the backend If the backend web server is configured to not support SSL session reuse pages will not load or not load correctly - typically stylesheets, images, javascript files, etc will not load. To account for such problems disable upstream SSL session reuse Default: <enabled> |