ACE URL Matching

fiachragroarke · ‎06-10-2008

Hi there,

I have 2 servers loadbalanced using ssl. I have a few URL's which I would like to exclude from the ssl:

/view/avac_message.cfm?denied=safeSurfOn

/view/avac_message.cfm?denied=illegal

/view/avac_message.cfm?denied=blacklist

The content switch seems to have an issue with special characters like . ? =

I have tried encapsulating them in [.] but still comes up invalid

General idea is as follows:

1. Class Map to match the URL

(config)# class-map type http inspect HTTP_URLCHECK_L7CLASS

host1/Admin(config-cmap-http-insp)# match url *avac_message[.]cfm[?]denied=safeSurfOn

host1/Admin(config-cmap-http-insp)# match url *avac_message[.]cfm[?]denied=illegal

host1/Admin(config-cmap-http-insp)# match url *avac_message[.]cfm[?]blacklist

2. Layer 7 Policy Map to apply the match

host1/Admin(config)# policy-map type inspect http all-match L7_FILTERHTML_POLICY

host1/Admin(config-pmap-ins-http)# class L7_HTML_ALLOW_CLASS

host1/Admin(config-pmap-ins-http-c)# permit log

host1/Admin(config-pmap-ins-http-c)# exit

3. Layer 3 and 4 Policy Map to activate the traffic classifications

host1/Admin(config)# policy-map multi-match L4_FILTER_POLICY

host1/Admin(config-pmap)# class L4_MATCH_HTTP_URL_CLASS

host1/Admin(config-pmap-c)# inspect http policy L7_FILTERHTML_POLICY

host1/Admin(config-pmap-c)# exit

host1/Admin(config-pmap)# exit

host1/Admin(config)#

Can anyone advise a workaround to apply these url statements please?

Thanks

ciscocsoc · ‎06-10-2008

Hi,

To escape special characters that have another meaning in a regular expression you need to put a backslash before them - e.g. \. \?

HTH

Cathy

Syed Iftekhar Ahmed · ‎06-10-2008

Hi

The '?' has a special meaning in the URL. It means the end of the main URL and the beginning of the URL query.

Its not possible to match ? in the url.

One option could be using secondary cookie matching in ACE.

class-map type http loadbalance match-any xyz

2 match http cookie secondary denied cookie-value safeSurfOn

Thanks

Syed

Gilles Dufour · ‎06-10-2008

Very good comment and suggestion Syed.

I just want to add that I tested this suggested config and it works perfectly.

Gilles.

fiachragroarke · ‎06-12-2008

Problem solved, I used the below syntax and the ACE accepted this. Just need to test now

class-map type http inspect match-any HTTP_URLCHECK_L7CLASS

100 match url .*denied=safeSurfOn

200 match url .*denied=illegal

300 match url .*denied=blacklist

400 match url .*logo.jpg

Big thanks to all who responded !!!!

Syed Iftekhar Ahmed · ‎06-12-2008

I think it wont work.

As I said earlier URL ends at ? delimeter.

Any ways try it and let me know.

Syed Iftekhar Ahmed

fiachragroarke · ‎06-12-2008

OK, not to confuse the issue, but I have applied the below config and I cannot seem to get the url match policy to allow traffic to pass as http, while forcing all other traffic to redirect as https

Can Anyone tell me what I am doing wrong here please?:

rserver host Server01

description Primary Server

ip address 10.x.x.1

conn-limit max 2000000 min 1500000

inservice

rserver host Server02

description Secondary Server

ip address 10.x.x.2

conn-limit max 2000000 min 1500000

inservice

rserver redirect Server_Redirect

webhost-redirection https://www.mysite.ie

inservice

serverfarm host ServerAuth

rserver Server01 3807

inservice

rserver Server02 3807

inservice

serverfarm redirect ServerHTTP_Redirect

rserver Server_Redirect

inservice

serverfarm host ServerServers

rserver Server01 80

inservice

rserver Server02 80

inservice

sticky http-cookie server-cookie Server_Cookie_Sticky_Group

cookie insert

timeout 21

serverfarm MyServers

class-map type http inspect match-any HTTP_URLCHECK_L7CLASS

100 match url .*denied=safeSurfOn

200 match url .*denied=illegal

300 match url .*denied=blacklist

400 match url .*logo.jpg

class-map match-any L4_Server_Auth

description match traffic for Authentication

2 match virtual-address 10.103.3.9 tcp eq 3807

class-map match-any L4_Server_HTTP

description match traffic for VIP and HTTP Traffic

2 match virtual-address 10.103.3.9 tcp eq www

class-map match-any L4_Server_HTTPS

description match traffic for VIP and HTTPS Traffic

2 match virtual-address 10.x.x.99 tcp eq https

class-map type http loadbalance match-any L7_Server_URL

2 match http url .*

policy-map type loadbalance first-match L7_Server_LBPolicy

description Server Layer 7 Load Balancing Policy

class L7_Server_URL

sticky-serverfarm Server_Cookie_Sticky_Group

policy-map type loadbalance first-match L7_Server_LBPolicy_Auth

class L7_Server_URL

serverfarm ServerAuth

policy-map type loadbalance first-match L7_Server_LBPolicy_HTTP

class L7_Server_URL

serverfarm ServerHTTP_Redirect

policy-map type inspect http all-match L7_URLCHECK_POLICY

class HTTP_URLCHECK_L7CLASS

permit

policy-map multi-match L4_FILTER_POLICY

description L$ Server URL AVAC CHECK

class L4_Server_HTTP

loadbalance vip inservice

loadbalance vip icmp-reply active

loadbalance vip advertise active

inspect http policy L7_URLCHECK_POLICY

policy-map multi-match L4_Server_LBPolicy

description L4 Server Load-Balancing Policy

class L4_Server_HTTP

loadbalance vip inservice

loadbalance policy L7_Server_LBPolicy_HTTP

loadbalance vip icmp-reply active

loadbalance vip advertise active

class L4_Server_HTTPS

loadbalance vip inservice

loadbalance policy L7_Server_LBPolicy

loadbalance vip icmp-reply

loadbalance vip advertise active

ssl-proxy server SSL_Server_Server

class L4_Server_Auth

loadbalance vip inservice

loadbalance policy L7_Server_LBPolicy_Auth

loadbalance vip icmp-reply

loadbalance vip advertise active

interface vlan 291

service-policy input L4_Server_LBPolicy

lliska · ‎09-11-2012

Thank you for the nice solution. I just want to add to your post, that multiple "match http cookie secondary" statements are possible under the same class-map. Match-all keyword can be used for more granular class-map matching.

Lubomir