×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Cisco ACE: SSL Termination + URL filtering

Unanswered Question
Aug 14th, 2012
User Badges:

We have Cisco ACE 4710 Appliance.

You must implement two tasks:

1) SSL Termination - is implemented.

2) URL Filtering


a url to which the service is implemented SSL Termination his address https://www.test.com (internal address http://192.168.1.250).


We need to carry only access to addresses and https://www.test.com/index.html https://www.test.com/docs/index.php.

All other locations, for example https://www.test.com/admin/ to block.


How to implement this scheme?


I would be very grateful for any help

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sivaksiv Tue, 08/14/2012 - 09:24
User Badges:
  • Cisco Employee,

Hi,


Here is a sample config. Traffic matching 192.168.1.250:443 will be SSL offloaded and then  will be loadbalanced using rservers in Serverfarm "APP1-SFARM" if the request includes "/index"or "/docs"


ssl-proxy service APP1-SSL-PROXY

key default-key.pem

cert default-cert.pem


class-map match-all APP1-443-VIP

2 match virtual-address 192.168.1.250 tcp eq https


class-map type http loadbalance match-any APP1-URLMAP

2 match http url /index/.*

3 match http url /docs/.*


policy-map type loadbalance first-match APP1-Policy

class APP1-URLMAP

serverfarm APP1-SFARM


policy-map multi-match VIPS-VLAN79

class APP1-443-VIP

loadbalance vip inservice

loadbalance vip icmp-reply active

loadbalance policy APP1-Policy

ssl-proxy server APP1-SSL-PROXY


As you can see traffic will be SSL offloaded and then  will be loadbalanced using rservers in Serverfarm "APP1-SFARM" if the request includes "/index" and you can use another L7 class-map to block the URL /admin and direct the requests to a dummy / redirect server farm respnds 404


Sample config URL filtering:

http://docwiki.cisco.com/wiki/URL_Load_Balancing_Using_One_Arm_Mode_with_Source_NAT_on_the_Cisco_Application_Control_Engine_Configuration_Example

SSL termination:

http://docwiki.cisco.com/wiki/SSL_Termination_on_the_Cisco_Application_Control_Engine_Without_an_Existing_Chained_Certificate_and_Key_in_Routed_Mode_Configuration_Example


Hope this helps!!!

-

Siva

Actions

This Discussion

Related Content