<< 2010�N04�� | TOP | 2010�N06�� >>

2010�N05��22��

�T�[�o�[���̃l�b�g���[�N�ɕύX��������IPv6�̃g���t�B�b�N���󂯕t������ -2/2-

�O���BIG-IP���M�Ǝ��ӂ̃f�o�C�X��IPv6�ŒʐM�ł���悤�ɐݒ�����܂������A�����BIG-IP�ŊǗ������g���t�B�b�N�Ɋւ���ݒ���s���܂��B�����ł͒P��VS(Virtual Server)��ݒ肷�邾���Ȃ̂œ���b�ł͂���܂���B

����̐ݒ�̊m�F


���݂�VS��Pool�̐ݒ�͈ȉ��̂悤�ɂȂ��Ă��܂��B
root@cookbook(Active)(tmos)# list ltm virtual
ltm virtual HTTP-VS-IPv4 {
    destination 10.10.88.21:http
    ip-protocol tcp
    mask 255.255.255.255
    pool http-pool1
    profiles {
        http { }
        tcp { }
    }
}
root@cookbook(Active)(tmos)# list ltm pool http-pool1
ltm pool http-pool1 {
    members {
        10.10.40.40:http {
            session monitor-enabled
        }
        10.10.40.41:http {
            session monitor-enabled
        }
    }
    monitor gateway_icmp
}

Pool�����L�������̂ŁA����http-pool1��V�������VS�Ɋ֘A�Â��邱�Ƃɂ��܂��B

�ݒ�


���‚����ł����A1��VS���쐬���邾���Ȃ̂ŃR�}���h��‚ōς�ł��܂��܂��B
root@cookbook2(Active)(tmos)# create ltm virtual HTTP-VS-IPv6 { destination fd00:10:10:88::21.http ip-protocol tcp mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff pool http-pool1 profiles add { http { } tcp { } } }

�m�F���܂��傤
root@cookbook(Active)(tmos)# list ltm virtual
ltm virtual HTTP-VS-IPv4 {
    destination 10.10.88.21:http
    ip-protocol tcp
    mask 255.255.255.255
    pool http-pool1
    profiles {
        http { }
        tcp { }
    }
}
ltm virtual HTTP-VS-IPv6 {
    destination fd00:10:10:88::21.http
    ip-protocol tcp
    pool http-pool1
    profiles {
        http { }
        tcp { }
    }
}


�a�ʊm�F


�O���Windows�̃N���C�A���g���g�p���܂������A�X�N���[���V���b�g�����̂��ʓ|�Ȃ̂ō����Linux�̃N���C�A���g��p�ӂ��܂����B���̃N���C�A���g����a�ʊm�F���s���܂��B
$ curl -g http://[fd00:10:10:88::21]/env.php



Destination IP Address:Port  ->  10.10.40.41:80
Source IP Address:Port       ->  10.10.40.254:56801
X-Forwarded-For            ->


Source IP Address��10.10.40.254��BIG-IP���g��internal VLAN�ɐݒ肳��Ă���floating address�ł��BVS�ɂ�SNAT�̐ݒ肪�s���Ă��܂��񂪁Av6/v4�̕ϊ���VS�ōs���ꍇ��SNAT�������I�ɐݒ肳��Ă��Ȃ��ꍇ�͎����I��SNAT Automap���ݒ肳��Ă���̂Ɠ������������܂��B

�g���t�B�b�N�����Ȃ��ꍇ�͂���ł����̂ł����A��‚�IP�A�h���X�Ŏg�p�”\�ȃ|�[�g�ԍ��ɂ͌��肪���邽�ߓ����ڑ����������ꍇ�ɂ͕�����SNAT�A�h���X��p�ӂ���K�v������܂��B�܂��A�N���C�A���g�̃\�[�XIP�A�h���X���T�[�o�[�Œm�肽���P�[�X������Ǝv���̂ł���ɂ��Ώ����܂��B

SNAT Pool�̗��p


v6�Ɍ���Ȃ��b�ł����ABIG-IP��SNAT������Ƃ��ɂ͑O�q�̒ʂ�|�[�g�ԍ��̌͊��ɒ��ӂ���K�v������܂��BAutomap�ł͒P��IP�A�h���X���g�p����̂ŁASNAT Pool���g�p���ĕ����̃A�h���X���g�p�”\�ɂ��܂��B�����internal VLAN�̃Z�O�����g��IP�A�h���X3�‚�SNAT�p�ɂ��܂��B
root@cookbook(Active)(tmos)# create ltm snatpool internalSNATPool members add { 10.10.40.201 10.10.40.202 10.10.40.203 }

������쐬����VS�Ɋ֘A�t���܂��B
root@cookbook(Active)(tmos)# modify ltm virtual HTTP-VS-IPv6 snatpool internalSNATPool


X-Forwarded-For�w�b�_�̗��p


BIG-IP�Ńg���t�B�b�N����������Ƃ��ɁA�ȑO��SSL�̂Ƃ��Ɠ��l�Ƀw�b�_��}�����܂��B�����X-Forwarded-For�w�b�_���g�p���܂��B���̃w�b�_�̑}����HTTP Profile�Œ�`�”\�Ȃ̂ŁA�V����HTTP Profile���쐬���Ă����VS�Ɋ֘A�t���܂��B
root@cookbook(Active)(tmos)# create ltm profile http http1 insert-xforwarded-for enabled 
root@cookbook(Active)(tmos)# modify ltm virtual HTTP-VS-IPv6 profiles replace-all-with { http1 { } }
root@cookbook(Active)(tmos)# list ltm virtual HTTP-VS-IPv6                                      ltm virtual HTTP-VS-IPv6 {
    destination fd00:10:10:88::21.http
    ip-protocol tcp
    pool http-pool1
    profiles {
        http1 { }
        tcp { }
    }
    snatpool internalSNATPool
}


�a�ʊm�F


$ curl -g http://[fd00:10:10:88::21]/env.php



Destination IP Address:Port  ->  10.10.40.41:80
Source IP Address:Port       ->  10.10.40.201:46568
X-Forwarded-For            ->  fd00:10:20::20
posted by Takahiro at 22:50| Comment(0) | TrackBack(0) | �ݒ� | ̃uO̓ǎ҂ɂȂ | XV`FbN

�T�[�o�[���̃l�b�g���[�N�ɕύX��������IPv6�̃g���t�B�b�N���󂯕t������ -1/2-

IPv4�ʼn^�p���Ă���V�X�e����IPv6�ł��g�������ꍇ�ABIG-IP����т��̏�ʂ̃��[�^�[����IPv6�̐ݒ��lj�����ƃT�[�o�[���ɕύX��������IPv6�̃��N�G�X�g���󂯂ď����������邱�Ƃ��ł��܂��B

����̍\��


���Ƃ��Έȉ��̂悤�ȍ\���ɂȂ��Ă�����̂Ƃ��܂��B
v4only.png
���Ȃ݂ɂł����A���̊‹���BIG-IP���܂ߑS������̕����T�[�o�[�œ��삵�Ă��܂��BBIG-IP�͍ŋ߃_�E�����[�h���”\�ɂȂ���VE���g�p���Ă��܂��B

IPv6����ꂽ�\��


v4v6.png
�ȒP�ɂ��邽�߃��[�^�[�ƃN���C�A���g��Dual Stack�ɂ��Ă��܂��B���RBIG-IP��Dual Stack�ł��B

�菇


���ꃋ�[�^�[���g�p���邽�߁AL1L2�̐ݒ��\���͉���•ς�炸�AL3�̐ݒ�����Ă����čŌ��VS(Virtual Server)�̐ݒ������Ί������܂��B

  1. ���[�^�[�ƃN���C�A���g�̐ݒ�m�F
    • �N���C�A���g�̐ݒ�
      �N���C�A���g��Windows7�ł͈ȉ��̂悤�ɃA�h���X��ݒ肵�܂����B�f�t�H���g�Q�[�g�E�F�C�̓��[�^�[�̃����N���[�J���A�h���X�ɂ��Ă��܂��B
      windowsIF.jpg
    • ���[�^�[�̐ݒ�
      LInux�ō\�����Ă��郋�[�^�[�͈ȉ��̂悤�Ȑݒ�ɂȂ��Ă��܂�

      $ ip ad show  dev eth3
      5: eth3:  mtu 1500 qdisc pfifo_fast state UP qlen 1000
          link/ether 00:0c:29:96:70:d7 brd ff:ff:ff:ff:ff:ff
          inet 10.20.0.254/24 brd 10.20.0.255 scope global eth3
          inet6 fd00:10:20::254/64 scope global 
             valid_lft forever preferred_lft forever
          inet6 fe80::20c:29ff:fe96:70d7/64 scope link 
             valid_lft forever preferred_lft forever
      $ ip ad show  dev eth7
      9: eth7:  mtu 1500 qdisc pfifo_fast state UP qlen 1000
          link/ether 00:0c:29:96:70:ff brd ff:ff:ff:ff:ff:ff
          inet 10.10.88.250/24 brd 10.10.88.255 scope global eth7
          inet6 fd00:10:10:88::250/64 scope global 
             valid_lft forever preferred_lft forever
          inet6 fe80::20c:29ff:fe96:70ff/64 scope link 
             valid_lft forever preferred_lft forever

  2. �a�ʊm�F
    �N���C�A���g���烋�[�^�[�܂ł̑a�ʊm�F�����܂��B
    Windows烋[^[܂łPING.jpg
  3. BIG-IP�̐ݒ�(Self)
    BIG-IP�̐ݒ�́A���ӂ̑��u�Ƃ̑a�ʂƂ����Ӗ��ł�SelfIP��ݒ肷�邾���Ȃ̂ŁA�ȉ��̒ʂ�ݒ肵�܂��B
    • �e���u��Self IP�̐ݒ�
      1���@
      root@cookbook(Standby)(tmos)# create net self fd00:10:10:88::252/64 vlan external 
      root@cookbook(Standby)(tmos)# create net self fd00:10:10:88::254/64 vlan external floating enabled unit 1
      2���@
      root@cookbook2(Active)(tmos)# create net self fd00:10:10:88::253/64 vlan external
      root@cookbook2(Active)(tmos)# create net self fd00:10:10:88::254/64 vlan external floating enabled unit 2

    • default gateway�̐ݒ�Ƃ��̐ݒ�̓���
      root@cookbook2(Active)(tmos)# create net route default-inet6 gw fe80::20c:29ff:fe96:70ff interface external
      root@cookbook2(Active)(tmos)# run sys config-sync


  4. �N���C�A���g����̑a�ʊm�F
    �ȉ��̂悤�ɂ��܂������܂����B
    ping2self.jpg

Self IP��Gateway��ݒ肷�邾����IPv6�̐ݒ肪�������܂����B
���ۂ̃g���t�B�b�N���󂯕t����ɂ�VS�̐ݒ肪�K�v�ł����A����ɂ‚��Ă͎��񏑂��܂��B
posted by Takahiro at 12:26| Comment(0) | TrackBack(0) | �ݒ� | ̃uO̓ǎ҂ɂȂ | XV`FbN

2010�N05��10��

�N���C�A���g��HTTPS�ŃA�N�Z�X���Ă��邩�ǂ������T�[�o�Œm�肽��

HTTPS�̃T�[�r�X�ɂ�����BIG-IP��SSL���I�[���Ă���Ƃ��́ABIG-IP�ƃT�[�o�[�̊Ԃ̒ʐM��HTTP�ōs����̂ŁA�T�[�o�[��T�[�o�[�A�v���P�[�V�����ł̓N���C�A���g��SSL���g�p���ăA�N�Z�X���Ă��Ă��邩�ǂ������킩��Ȃ����߂ɃA�v���J��������l��������������Ƃ�����܂����ASSL�I�[���s�����Ƃɂ���Ă����‚��̃����b�g������܂��B

  • �ؖ���/���Ǘ��̏W����
    �T�[�o�[��SSL�������s�킹��ƁA�ؖ����X�V�̂Ƃ��ɃT�[�o�[�̑䐔���ؖ��������̃I�y���[�V�������������܂�
  • L7�g���t�B�b�N�Ǘ�
    �N���C�A���g/�T�[�o�[�Ԃ��Í�������Ă��܂��ƒ��Ԃɓ���f�o�C�X��L7�̏������ăg���t�B�b�N�Ǘ����ł��Ȃ��Ȃ�܂�)
  • TPS������̃R�X�g
    �����Ɍv�Z�������Ƃ͂���܂��񂪁ASSL��1�g�����U�N�V����������̏����R�X�g��BIG-IP�ŏI�[���������L���Ȃ��Ƃ������悤�ł�

�V�X�e���S�̂Ō����Ƃ��ɂǂ��炪�y���͏�������܂����ABIG-IP�ŏI�[����ꍇ��HTTPS��VirtualServer�Ŏ󂯂��g���t�B�b�N���T�[�o�[�ɓ]������ۂ�HTTP�w�b�_�[�ɂ���Ƃ킩����e�����Ă����Ηǂ��ł��傤�BX-Forwarded-For�̂悤�Ȏ�茈�߂�ꂽ�w�b�_�[���͖����悤�Ȃ̂ŁA�K���Ɍ��߂ăT�[�o�[/�A�v�������l�ɋ����Ă����܂��B�����"X-SSL: 1"�Ƃ����w�b�_�[�����Ă����܂��B

������s���ɂ�HTTP Profile���g�p���܂��B
�ȉ��A�ݒ�ł��B
root@cookbook(Active)(tmos)# list ltm profile http http1
ltm profile http http1 {
    defaults-from http
    header-insert "X-SSL: 1"
}

����Profile��VS�ɐݒ肵�܂��B
ltm virtual httpsVS {
    destination 10.10.88.21:https
    ip-protocol tcp
    mask 255.255.255.255
    pool httppool
    profiles {
        clientssl {
            context clientside
        }
        http1 { }
        tcp { }
    }
    snat automap
}

���Ȃ݂ɔ�r�p�ɐݒ肵��HTTP��VS���قړ����ݒ�ł��B
root@cookbook(Active)(tmos)# list ltm virtual httpVS
ltm virtual httpVS {
    destination 10.10.88.21:http
    ip-protocol tcp
    mask 255.255.255.255
    pool httppool
    profiles {
        http { }
        tcp { }
    }
    snat automap
}

snat automap�͂��̌��؊‹��ŕK�v�Ȃ����ŁA�K�{�ł͂���܂���B
�܂��A�T�[�o�[���ł͊m�F�p�Ɋ‹��ϐ����o�͂���ȉ��̂悤�ȃv���O������p�ӂ��Ă��܂��B
# cat env_al.php
<?php
foreach ($_SERVER as $key => $val)
{
print "\n";
print "$key ->  ";
print "$val";
}
print "\n\n\n";

?>

����ł͊m�F���܂��傤�B�ŏ���HTTP��VS�ɃA�N�Z�X���Ă݂܂��B
$ curl http://10.10.88.21/env_al.php

HTTP_USER_AGENT ->  curl/7.18.2 (x86_64-pc-linux-gnu) libcurl/7.18.2 OpenSSL/0.9.8g zlib/1.2.3.3 libidn/1.10
HTTP_HOST ->  10.10.88.21
HTTP_ACCEPT ->  */*
PATH ->  /usr/local/bin:/usr/bin:/bin
SERVER_SIGNATURE ->  
Apache/2.2.11 (Ubuntu) PHP/5.2.6-3ubuntu4.5 with Suhosin-Patch Server at 10.10.88.21 Port 80


SERVER_SOFTWARE ->  Apache/2.2.11 (Ubuntu) PHP/5.2.6-3ubuntu4.5 with Suhosin-Patch
SERVER_NAME ->  10.10.88.21
SERVER_ADDR ->  10.10.40.40
SERVER_PORT ->  80
REMOTE_ADDR ->  10.10.40.252
DOCUMENT_ROOT ->  /var/www
SERVER_ADMIN ->  webmaster@localhost
SCRIPT_FILENAME ->  /var/www/env_al.php
REMOTE_PORT ->  57457
GATEWAY_INTERFACE ->  CGI/1.1
SERVER_PROTOCOL ->  HTTP/1.1
REQUEST_METHOD ->  GET
QUERY_STRING ->
REQUEST_URI ->  /env_al.php
SCRIPT_NAME ->  /env_al.php
PHP_SELF ->  /env_al.php
REQUEST_TIME ->  1273465320
argv ->  Array
argc ->  0
����HTTPS��VS�ɃA�N�Z�X���Ă݂܂��B


$ curl -k https://10.10.88.21/env_al.php

HTTP_USER_AGENT ->  curl/7.18.2 (x86_64-pc-linux-gnu) libcurl/7.18.2 OpenSSL/0.9.8g zlib/1.2.3.3 libidn/1.10
HTTP_HOST ->  10.10.88.21
HTTP_ACCEPT ->  */*
HTTP_X_SSL ->  1
PATH ->  /usr/local/bin:/usr/bin:/bin
SERVER_SIGNATURE ->  
Apache/2.2.11 (Ubuntu) PHP/5.2.6-3ubuntu4.5 with Suhosin-Patch Server at 10.10.88.21 Port 80


SERVER_SOFTWARE ->  Apache/2.2.11 (Ubuntu) PHP/5.2.6-3ubuntu4.5 with Suhosin-Patch
SERVER_NAME ->  10.10.88.21
SERVER_ADDR ->  10.10.40.40
SERVER_PORT ->  80
REMOTE_ADDR ->  10.10.40.252
DOCUMENT_ROOT ->  /var/www
SERVER_ADMIN ->  webmaster@localhost
SCRIPT_FILENAME ->  /var/www/env_al.php
REMOTE_PORT ->  45476
GATEWAY_INTERFACE ->  CGI/1.1
SERVER_PROTOCOL ->  HTTP/1.1
REQUEST_METHOD ->  GET
QUERY_STRING ->
REQUEST_URI ->  /env_al.php
SCRIPT_NAME ->  /env_al.php
PHP_SELF ->  /env_al.php
REQUEST_TIME ->  1273465344
argv ->  Array
argc ->  0

�������ݒ肵���w�b�_�[���T�[�o�[�ɓ͂����Ă邱�Ƃ��킩��܂����B�A�v���P�[�V�����ł͂�����g�p���ďꍇ�����������������邱�Ƃ��ł��܂��B

�]�k�ł����A���񂩂�͐���_�E�����[�h�”\�ɂȂ���TMOS 10.2���g�p���Ă��܂��B�ׂ��������͕ς��܂��񂪂��g���̃o�[�W�����Ɠ����I�y���[�V�������قȂ邱�Ƃ�����܂��̂ł����ӂ��������B
posted by Takahiro at 13:14| Comment(0) | TrackBack(0) | �e�N�j�b�N | ̃uO̓ǎ҂ɂȂ | XV`FbN

�L��


���̍L����60���ȏ�X�V���Ȃ��u���O�ɕ\��������Ă���܂��B

�ȉ��̂����ꂩ�̕��@�Ŕ�\���ɂ��邱�Ƃ��”\�ł��B

�E�L���̓��e�A�ҏW�������Ȃ�
�E�}�C�u���O�́y�ݒ�z ���@�y�L���ݒ�z ���A�u60���ԍX�V�������ꍇ�v �� �u�L����\�����Ȃ��v�Ƀ`�F�b�N�����ĕۑ�����B


posted by Seesaa �u���O