Blogging Techstacks

One of the big new features introduced with Apache 2.2, and one that is still not too well documented yet, is all the work that has gone into mod_proxy. Starting with Apache 2.2, we now have a replacement for mod_jk that is built in to Apache and we can also load-balance upstream application servers (or web servers) using mod_proxy_balancer. On May 19th, 2009, SpringSource will be holding a Webinar titled "Secrets of Apache 2.2 Reverse Proxy", which I definitely plan on attending. The link will take you to their main Webinar page where you can register.

Let me begin by saying that there has to be an extremely good reason for needing to do this because Disabling SSLv2 has been a best practice for a while now. But, if you are in the middle of migrating SSL termination from some older sites to a BigIP LTM and there are reports that older clients can no longer connect to a site and you can't convince your business partners that keeping SSLv2 disabled post-migration is a good thing, then enabling SSLv2 on a VIP managed by your BigIP is surprisingly easy.

The first thing to do is realize that in the technology world we live in, not only do we have multiple words and phrases that mean the same thing (i.e. "session persistence", "session affinity", "sticky sessions") but we also have common words and phrases that have different meaning depending upon the product or technology, (i.e. "cluster").

Take, for example, the word "ALL" when used in the context of SSL. In the Apache web server world, "ALL" means SSLv2, SSLv3, and TLSv1. In the BigIP world, "ALL" means SSLv3 and TLSv1. To enable sslv2 on your apache servers, you do nothing. The default behavior for SSLProtocol All means "all". To enable SSLv2 on a particular VIP in your BigIP, you edit the SSL Client Profile for that site and change Ciphers from Default to ALL:SSLv2. If you have followed my advice from a previous post on disabling sslv2 and weak ciphers on a bigip, you'll change ALL:!ADH:!SSLv2:!EXPORT40:!EXP:!LOW to ALL:!ADH:SSLv2:!EXPORT40:!EXP:!LOW (removing the exclamation point in front of SSLv2). This will enable SSLv2 but still keep those weak and null ciphers disabled.

Similar to the HTTP HEAD example from a few days ago, this script uses the Groovy HTTP Builder module to do a basic HTTP GET on a web page and does some very basic HTML parsing to display the title (to prove that it worked).

#!/usr/bin/env groovy
//USAGE: pretty straightforward--just run ./httpGetTest.groovy $URL
import groovyx.net.http.HTTPBuilder
import static groovyx.net.http.Method.GET
import static groovyx.net.http.ContentType.HTML

// create a new builder
def http = new HTTPBuilder( args[0] )
  http.request(GET,HTML) { req ->
    headers.'User-Agent' = 'GroovyHTTPBuilderTest/1.0'
    headers.'Referer' = 'http://blog.techstacks.com/'

// Switch to Java to set socket timeout
    req.getParams().setParameter("http.socket.timeout", new Integer(5000))

// Back to Groovy
  response.success = { resp, html ->
  println "Server Response: ${resp.statusLine}"
  println "Server Type: ${resp.getFirstHeader('Server')}"
  println "Title: ${html.HEAD.TITLE.text()}"
  }
  response.failure = { resp ->
    println resp.statusLine
  }
}

This script also highlights some of the mixing of java and groovy one can do within the same piece of code. Setting HTTP Client Parameters currently can only be done in Java. The code that sets the socket-timeout to 5 seconds above is java, the rest of the script is groovy.

This script and the previously posted HEAD sample will be modified further over the course of the next few weeks as I add some additional functionality and figure out how to better handle exceptions.