Combining layer 3/4 and layer 7 filtering

Unanswered Question
Aug 24th, 2010


The configuration below is extracted from a working configuration where the ACE is doing SSL offload for a web service - this is pretty standard stuff.

What I have been asked to do is modify the configuration so that:

1) Any connections from an internal source (this will be the 10.0.0/8 and range of IP's) can continue to access any URL.

2) Any other connections - which will be from an external source - are only allowed to access URL's beginning with /public and /downloads.

Can you please advise me on how to change this?  If necessary, I can define a second VIP for the external connections and setup the DNS appropriately.

Thanks in advance


crypto chaingroup WEBSERVER_CHAIN

probe tcp WEBSERVER
  port 7777

ssl-proxy service SSL_PROXY_WEBSERVER
  chaingroup WEBSERVER_CHAIN

serverfarm host WEBSERVER
  rserver SERVER1 7777
  rserver SERVER2 7777

sticky http-cookie WEBSERVER_COOKIE WEBSERVER_StickyGroup
  cookie insert browser-expire
  replicate sticky
  serverfarm WEBSERVER

class-map match-all WEBSERVER
  10 match virtual-address tcp eq https

policy-map type loadbalance first-match WEBSERVER_L7
  class class-default
    sticky-serverfarm WEBSERVER_StickyGroup

policy-map multi-match GlobalLB
    loadbalance vip inservice
    loadbalance policy WEBSERVER_L7
    loadbalance vip icmp-reply
    ssl-proxy server SSL_PROXY_WEBSERVER

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
litrenta Tue, 08/24/2010 - 05:31

first make class maps to characterize the traffic:

class-map type http loadbalance match-all ten
  2 match source-address
  4 match http url .*

class-map type http loadbalance match-all seventeen
  2 match source-address
  4 match http url .*

class-map type http loadbalance match-any restrict
  2 match http url /public.*
  4 match http url /downloads.*

then use in load balance policy as follows:

policy-map type loadbalance first-match WEBSERVER_L7

class ten

sticky-serverfarm WEBSERVER_StickyGroup

class seventeen

sticky-serverfarm WEBSERVER_StickyGroup

class restrict

sticky-serverfarm WEBSERVER_StickyGroup

if you want to send outside users with other urls to a sorry page you would have a server in a serverfarm taht would do that and use it in a class class-default on the bottom of the load balance policy. The matches on load balance policy are top down so order is important.


This Discussion