I have some requirements from my app developers that are puzzling me. I'm not sure the ACE can do what I want, but with the flexibility of the policy and class maps I'm thinking there has to be a way.
I have a VIP that is used for two different server farms. If a user goes to the general URI http://mainwebserver.com they go to the main web serverfarm. However, if they go to http://mainwebserver.com/internal they will go to a different serverfarm.
I have this set up and working right now. Easy.
However, my application guys want to use the ACE enforce certain policies with regard to request METHODs and actions.
Example, if the user is doing a POST and they go to the mainwebserver.com URL with /internal/ and then /makechange in the URL, then they have to be using SSL. In other words, if they go to http://mainwebserver.com/internal/stuff/blah/makechange with the POST method and are coming via HTTP (as opposed to HTTPS), then I need to reject the call. If they aren't POSTing, or aren't going to /makechange, then it doesn't matter if they are using HTTP or HTTPS.
Can anyone come up with a way to accomplish this task?
Oh yeah, it's also not only /makechange, but also /getchanges combined with a POST method, that would require SSL.
Let me know if anyone needs further clarification. It looks like a fun puzzle, so have it.
As per the ACE policy order Server Loadbalancing will happen first and then Inspection will take place.
Something like this should do
class-map type http inspect match-any BLOCK-HTTP
match request-method rfc post
class match-all ALLOW-HTTP
match port tcp eq http
policy-map type inspect HTTP first-match PM-L7-Inspect-webserver
policy-map multi-match PM-BasicVIPs
loadbalance vip inservice
loadbalance policy PM-L7-webserver
loadbalance vip icmp-reply
inspect http policy PM-L7-Inspect-webserver
Try it in a test environment first.