ACE URL Matching

Unanswered Question
Jun 10th, 2008
User Badges:

Hi there,


I have 2 servers loadbalanced using ssl. I have a few URL's which I would like to exclude from the ssl:


/view/avac_message.cfm?denied=safeSurfOn

/view/avac_message.cfm?denied=illegal

/view/avac_message.cfm?denied=blacklist


The content switch seems to have an issue with special characters like . ? =


I have tried encapsulating them in [.] but still comes up invalid


General idea is as follows:


1. Class Map to match the URL


(config)# class-map type http inspect HTTP_URLCHECK_L7CLASS

host1/Admin(config-cmap-http-insp)# match url *avac_message[.]cfm[?]denied=safeSurfOn

host1/Admin(config-cmap-http-insp)# match url *avac_message[.]cfm[?]denied=illegal

host1/Admin(config-cmap-http-insp)# match url *avac_message[.]cfm[?]blacklist


2. Layer 7 Policy Map to apply the match


host1/Admin(config)# policy-map type inspect http all-match L7_FILTERHTML_POLICY

host1/Admin(config-pmap-ins-http)# class L7_HTML_ALLOW_CLASS

host1/Admin(config-pmap-ins-http-c)# permit log

host1/Admin(config-pmap-ins-http-c)# exit


3. Layer 3 and 4 Policy Map to activate the traffic classifications


host1/Admin(config)# policy-map multi-match L4_FILTER_POLICY

host1/Admin(config-pmap)# class L4_MATCH_HTTP_URL_CLASS

host1/Admin(config-pmap-c)# inspect http policy L7_FILTERHTML_POLICY

host1/Admin(config-pmap-c)# exit

host1/Admin(config-pmap)# exit

host1/Admin(config)#


Can anyone advise a workaround to apply these url statements please?


Thanks


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
ciscocsoc Tue, 06/10/2008 - 08:36
User Badges:
  • Silver, 250 points or more

Hi,


To escape special characters that have another meaning in a regular expression you need to put a backslash before them - e.g. \. \?


HTH


Cathy

Syed Iftekhar Ahmed Tue, 06/10/2008 - 11:44
User Badges:
  • Blue, 1500 points or more

Hi


The '?' has a special meaning in the URL. It means the end of the main URL and the beginning of the URL query.


Its not possible to match ? in the url.


One option could be using secondary cookie matching in ACE.


class-map type http loadbalance match-any xyz

2 match http cookie secondary denied cookie-value safeSurfOn

Thanks

Syed




Gilles Dufour Tue, 06/10/2008 - 15:20
User Badges:
  • Cisco Employee,

Very good comment and suggestion Syed.

I just want to add that I tested this suggested config and it works perfectly.


Gilles.

fiachragroarke Thu, 06/12/2008 - 02:34
User Badges:

Problem solved, I used the below syntax and the ACE accepted this. Just need to test now


class-map type http inspect match-any HTTP_URLCHECK_L7CLASS

100 match url .*denied=safeSurfOn

200 match url .*denied=illegal

300 match url .*denied=blacklist

400 match url .*logo.jpg


Big thanks to all who responded !!!!


Syed Iftekhar Ahmed Thu, 06/12/2008 - 09:44
User Badges:
  • Blue, 1500 points or more


I think it wont work.

As I said earlier URL ends at ? delimeter.


Any ways try it and let me know.


Syed Iftekhar Ahmed

fiachragroarke Thu, 06/12/2008 - 17:16
User Badges:

OK, not to confuse the issue, but I have applied the below config and I cannot seem to get the url match policy to allow traffic to pass as http, while forcing all other traffic to redirect as https


Can Anyone tell me what I am doing wrong here please?:


rserver host Server01

description Primary Server

ip address 10.x.x.1

conn-limit max 2000000 min 1500000

inservice

rserver host Server02

description Secondary Server

ip address 10.x.x.2

conn-limit max 2000000 min 1500000

inservice

rserver redirect Server_Redirect

webhost-redirection https://www.mysite.ie

inservice


serverfarm host ServerAuth

rserver Server01 3807

inservice

rserver Server02 3807

inservice

serverfarm redirect ServerHTTP_Redirect

rserver Server_Redirect

inservice

serverfarm host ServerServers

rserver Server01 80

inservice

rserver Server02 80

inservice


sticky http-cookie server-cookie Server_Cookie_Sticky_Group

cookie insert

timeout 21

serverfarm MyServers



class-map type http inspect match-any HTTP_URLCHECK_L7CLASS

100 match url .*denied=safeSurfOn

200 match url .*denied=illegal

300 match url .*denied=blacklist

400 match url .*logo.jpg

class-map match-any L4_Server_Auth

description match traffic for Authentication

2 match virtual-address 10.103.3.9 tcp eq 3807

class-map match-any L4_Server_HTTP

description match traffic for VIP and HTTP Traffic

2 match virtual-address 10.103.3.9 tcp eq www

class-map match-any L4_Server_HTTPS

description match traffic for VIP and HTTPS Traffic

2 match virtual-address 10.x.x.99 tcp eq https

class-map type http loadbalance match-any L7_Server_URL

2 match http url .*


policy-map type loadbalance first-match L7_Server_LBPolicy

description Server Layer 7 Load Balancing Policy

class L7_Server_URL

sticky-serverfarm Server_Cookie_Sticky_Group


policy-map type loadbalance first-match L7_Server_LBPolicy_Auth

class L7_Server_URL

serverfarm ServerAuth


policy-map type loadbalance first-match L7_Server_LBPolicy_HTTP

class L7_Server_URL

serverfarm ServerHTTP_Redirect

policy-map type inspect http all-match L7_URLCHECK_POLICY

class HTTP_URLCHECK_L7CLASS

permit



policy-map multi-match L4_FILTER_POLICY

description L$ Server URL AVAC CHECK

class L4_Server_HTTP

loadbalance vip inservice

loadbalance vip icmp-reply active

loadbalance vip advertise active

inspect http policy L7_URLCHECK_POLICY

policy-map multi-match L4_Server_LBPolicy

description L4 Server Load-Balancing Policy

class L4_Server_HTTP

loadbalance vip inservice

loadbalance policy L7_Server_LBPolicy_HTTP

loadbalance vip icmp-reply active

loadbalance vip advertise active

class L4_Server_HTTPS

loadbalance vip inservice

loadbalance policy L7_Server_LBPolicy

loadbalance vip icmp-reply

loadbalance vip advertise active

ssl-proxy server SSL_Server_Server

class L4_Server_Auth

loadbalance vip inservice

loadbalance policy L7_Server_LBPolicy_Auth

loadbalance vip icmp-reply

loadbalance vip advertise active


interface vlan 291

service-policy input L4_Server_LBPolicy



lliska Tue, 09/11/2012 - 07:11
User Badges:

Thank you for the nice solution. I just want to add to your post, that multiple "match http cookie secondary" statements are possible under the same class-map. Match-all keyword can be used for more granular class-map matching.


Lubomir

Actions

This Discussion