partial access to a page

Unanswered Question
Mar 14th, 2007
User Badges:

Hi All,


I have a scenario where external users can access an URL called http://www.sm.com but at the same time, they cannot access http://www.sm.com/admin

Internal users can access any URL.



I am thinking of assigning 2 different VIPs and not open firewall for one of the VIP that belongs to admin page. I have the following config


service smweb01-80

port 80

keepalive frequency 10

ip address 10.20.20.11

keepalive type http

keepalive port 80

active


service smweb02-80

port 80

keepalive frequency 10

keepalive type http

keepalive port 80

ip address 10.20.20.12

active


content sm.com

vip address 10.10.16.22

add service smweb01-80

add service smweb02-80

protocol tcp

port 80

active


content sm.com-admin

vip address 10.10.16.23

add service smweb01-80

add service smweb02-80

protocol tcp

port 80

url "/admin/*"

active


Will this work? I want to make sure that I am on the right track.


thanks,

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mchockalingam Wed, 03/14/2007 - 21:26
User Badges:

I realized that the above config will not work. DNS cannot resolve a single URL to 2 different VIPs.


Is it possible to redirect to a dummay page based on the source ip? If the source IP is from internal network, I would like to allow access to the admin page. If not, redirect them to a dummy page.

Syed Iftekhar Ahmed Thu, 03/15/2007 - 00:46
User Badges:
  • Blue, 1500 points or more

Acl on CSS can be used to select a particular service from content rule based on source ip


acl 1

clause 20 permit any destination content / prefer





Gilles Dufour Thu, 03/15/2007 - 01:37
User Badges:
  • Cisco Employee,

you should do something like this


service unauthorized

ip x.x.x.x

port 80

active


vip address 10.10.16.22

add service smweb01-80

add service smweb02-80

protocol tcp

port 80

url "/*"

active


content sm.com-admin

vip address 10.10.16.22

add service smweb01-80

add service smweb02-80

protocol tcp

port 80

url "/admin/*"

active


acl 1

clause 10 permit any destination content

clause 20 permit any any destination content prefer unauthorized

clause 99 permit any any destination any

apply all


Where service unauthorized would be a server with a page displaying an error message.

This could also be a redirect to a url like

http://www.sm.com/error.html


Gilles.

Gilles Dufour Wed, 06/06/2007 - 01:38
User Badges:
  • Cisco Employee,

for https, the css does not see the url as it is encrypted. You can use an ssl module to decrypt the traffic if you have the server key and certificate and then apply the same rule for http and https.

otherwise, for https, you can only loadbalance without knowing where the browser is going.


Gilles.

mchockalingam Wed, 06/06/2007 - 02:10
User Badges:

The traffic gets decrypted by the SSL module since the server listens only on port 80. But when the traffic is https, I do not have any redirect service and all I have is a generic content rule that serves the main page as well as the directories. Here is my config


service redirect-sm

type redirect

keepalive type none

ip address 1.1.1.1

no prepend-http

domain https://www.sm.com

active



service redirect-portal

type redirect

keepalive type none

ip address 1.1.1.1

no prepend-http

redirect-string "https://www.sm.com/portal"

active


service redirect-portal-admin

type redirect

keepalive type none

ip address 2.2.2.2

no prepend-http

redirect-string "https://www.sm.com/portal/admin"

active



content sm-portal-admin-redirect

add service redirect-portal-admin

vip address 10.10.16.22

protocol tcp

port 80

url "/portal/admin"

active


content sm-portal-redirect

add service redirect-portal

vip address 10.10.16.22

protocol tcp

port 80

url "/portal"

active


content sm-redirect

add service redirect-sm

vip address 10.10.16.22

protocol tcp

port 80

url "/*"

active




content www.sm.com-decrypt

vip address 10.10.16.22

add service smweb01-80

add service smweb02-80

protocol tcp

port 81

active


content ssl-sm

add service ssl_serv1

port 443

protocol tcp

vip address 10.10.16.22

application ssl

active


acl 1

clause 10 permit any 10.0.0.0 255.0.0.0 destination content secure-msg/sm-portal-admin-redirect

clause 20 permit any any destination content secure-msg/sm-portal-admin-redirect prefer redirect-portal

clause 99 permit any any destination any

apply all




mchockalingam Wed, 06/06/2007 - 20:06
User Badges:

I think I got the idea. I need to make the decrypt content rule as a layer 5 rule checking for specific URL

Actions

This Discussion