partial access to a page

Unanswered Question
Mar 14th, 2007

Hi All,

I have a scenario where external users can access an URL called http://www.sm.com but at the same time, they cannot access http://www.sm.com/admin

Internal users can access any URL.

I am thinking of assigning 2 different VIPs and not open firewall for one of the VIP that belongs to admin page. I have the following config

service smweb01-80

port 80

keepalive frequency 10

ip address 10.20.20.11

keepalive type http

keepalive port 80

active

service smweb02-80

port 80

keepalive frequency 10

keepalive type http

keepalive port 80

ip address 10.20.20.12

active

content sm.com

vip address 10.10.16.22

add service smweb01-80

add service smweb02-80

protocol tcp

port 80

active

content sm.com-admin

vip address 10.10.16.23

add service smweb01-80

add service smweb02-80

protocol tcp

port 80

url "/admin/*"

active

Will this work? I want to make sure that I am on the right track.

thanks,

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mchockalingam Wed, 03/14/2007 - 21:26

I realized that the above config will not work. DNS cannot resolve a single URL to 2 different VIPs.

Is it possible to redirect to a dummay page based on the source ip? If the source IP is from internal network, I would like to allow access to the admin page. If not, redirect them to a dummy page.

Syed Iftekhar Ahmed Thu, 03/15/2007 - 00:46

Acl on CSS can be used to select a particular service from content rule based on source ip

acl 1

clause 20 permit any destination content / prefer

Gilles Dufour Thu, 03/15/2007 - 01:37

you should do something like this

service unauthorized

ip x.x.x.x

port 80

active

vip address 10.10.16.22

add service smweb01-80

add service smweb02-80

protocol tcp

port 80

url "/*"

active

content sm.com-admin

vip address 10.10.16.22

add service smweb01-80

add service smweb02-80

protocol tcp

port 80

url "/admin/*"

active

acl 1

clause 10 permit any destination content

clause 20 permit any any destination content prefer unauthorized

clause 99 permit any any destination any

apply all

Where service unauthorized would be a server with a page displaying an error message.

This could also be a redirect to a url like

http://www.sm.com/error.html

Gilles.

Gilles Dufour Wed, 06/06/2007 - 01:38

for https, the css does not see the url as it is encrypted. You can use an ssl module to decrypt the traffic if you have the server key and certificate and then apply the same rule for http and https.

otherwise, for https, you can only loadbalance without knowing where the browser is going.

Gilles.

mchockalingam Wed, 06/06/2007 - 02:10

The traffic gets decrypted by the SSL module since the server listens only on port 80. But when the traffic is https, I do not have any redirect service and all I have is a generic content rule that serves the main page as well as the directories. Here is my config

service redirect-sm

type redirect

keepalive type none

ip address 1.1.1.1

no prepend-http

domain https://www.sm.com

active

service redirect-portal

type redirect

keepalive type none

ip address 1.1.1.1

no prepend-http

redirect-string "https://www.sm.com/portal"

active

service redirect-portal-admin

type redirect

keepalive type none

ip address 2.2.2.2

no prepend-http

redirect-string "https://www.sm.com/portal/admin"

active

content sm-portal-admin-redirect

add service redirect-portal-admin

vip address 10.10.16.22

protocol tcp

port 80

url "/portal/admin"

active

content sm-portal-redirect

add service redirect-portal

vip address 10.10.16.22

protocol tcp

port 80

url "/portal"

active

content sm-redirect

add service redirect-sm

vip address 10.10.16.22

protocol tcp

port 80

url "/*"

active

content www.sm.com-decrypt

vip address 10.10.16.22

add service smweb01-80

add service smweb02-80

protocol tcp

port 81

active

content ssl-sm

add service ssl_serv1

port 443

protocol tcp

vip address 10.10.16.22

application ssl

active

acl 1

clause 10 permit any 10.0.0.0 255.0.0.0 destination content secure-msg/sm-portal-admin-redirect

clause 20 permit any any destination content secure-msg/sm-portal-admin-redirect prefer redirect-portal

clause 99 permit any any destination any

apply all

mchockalingam Wed, 06/06/2007 - 20:06

I think I got the idea. I need to make the decrypt content rule as a layer 5 rule checking for specific URL

Actions

This Discussion