Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACE URL Matching

Hi there,

I have 2 servers loadbalanced using ssl. I have a few URL's which I would like to exclude from the ssl:

/view/avac_message.cfm?denied=safeSurfOn

/view/avac_message.cfm?denied=illegal

/view/avac_message.cfm?denied=blacklist

The content switch seems to have an issue with special characters like . ? =

I have tried encapsulating them in [.] but still comes up invalid

General idea is as follows:

1. Class Map to match the URL

(config)# class-map type http inspect HTTP_URLCHECK_L7CLASS

host1/Admin(config-cmap-http-insp)# match url *avac_message[.]cfm[?]denied=safeSurfOn

host1/Admin(config-cmap-http-insp)# match url *avac_message[.]cfm[?]denied=illegal

host1/Admin(config-cmap-http-insp)# match url *avac_message[.]cfm[?]blacklist

2. Layer 7 Policy Map to apply the match

host1/Admin(config)# policy-map type inspect http all-match L7_FILTERHTML_POLICY

host1/Admin(config-pmap-ins-http)# class L7_HTML_ALLOW_CLASS

host1/Admin(config-pmap-ins-http-c)# permit log

host1/Admin(config-pmap-ins-http-c)# exit

3. Layer 3 and 4 Policy Map to activate the traffic classifications

host1/Admin(config)# policy-map multi-match L4_FILTER_POLICY

host1/Admin(config-pmap)# class L4_MATCH_HTTP_URL_CLASS

host1/Admin(config-pmap-c)# inspect http policy L7_FILTERHTML_POLICY

host1/Admin(config-pmap-c)# exit

host1/Admin(config-pmap)# exit

host1/Admin(config)#

Can anyone advise a workaround to apply these url statements please?

Thanks

7 REPLIES
Silver

Re: ACE URL Matching

Hi,

To escape special characters that have another meaning in a regular expression you need to put a backslash before them - e.g. \. \?

HTH

Cathy

Re: ACE URL Matching

Hi

The '?' has a special meaning in the URL. It means the end of the main URL and the beginning of the URL query.

Its not possible to match ? in the url.

One option could be using secondary cookie matching in ACE.

class-map type http loadbalance match-any xyz

2 match http cookie secondary denied cookie-value safeSurfOn

Thanks

Syed

Cisco Employee

Re: ACE URL Matching

Very good comment and suggestion Syed.

I just want to add that I tested this suggested config and it works perfectly.

Gilles.

New Member

Re: ACE URL Matching

Problem solved, I used the below syntax and the ACE accepted this. Just need to test now

class-map type http inspect match-any HTTP_URLCHECK_L7CLASS

100 match url .*denied=safeSurfOn

200 match url .*denied=illegal

300 match url .*denied=blacklist

400 match url .*logo.jpg

Big thanks to all who responded !!!!

Re: ACE URL Matching

I think it wont work.

As I said earlier URL ends at ? delimeter.

Any ways try it and let me know.

Syed Iftekhar Ahmed

New Member

Re: ACE URL Matching

OK, not to confuse the issue, but I have applied the below config and I cannot seem to get the url match policy to allow traffic to pass as http, while forcing all other traffic to redirect as https

Can Anyone tell me what I am doing wrong here please?:

rserver host Server01

description Primary Server

ip address 10.x.x.1

conn-limit max 2000000 min 1500000

inservice

rserver host Server02

description Secondary Server

ip address 10.x.x.2

conn-limit max 2000000 min 1500000

inservice

rserver redirect Server_Redirect

webhost-redirection https://www.mysite.ie

inservice

serverfarm host ServerAuth

rserver Server01 3807

inservice

rserver Server02 3807

inservice

serverfarm redirect ServerHTTP_Redirect

rserver Server_Redirect

inservice

serverfarm host ServerServers

rserver Server01 80

inservice

rserver Server02 80

inservice

sticky http-cookie server-cookie Server_Cookie_Sticky_Group

cookie insert

timeout 21

serverfarm MyServers

class-map type http inspect match-any HTTP_URLCHECK_L7CLASS

100 match url .*denied=safeSurfOn

200 match url .*denied=illegal

300 match url .*denied=blacklist

400 match url .*logo.jpg

class-map match-any L4_Server_Auth

description match traffic for Authentication

2 match virtual-address 10.103.3.9 tcp eq 3807

class-map match-any L4_Server_HTTP

description match traffic for VIP and HTTP Traffic

2 match virtual-address 10.103.3.9 tcp eq www

class-map match-any L4_Server_HTTPS

description match traffic for VIP and HTTPS Traffic

2 match virtual-address 10.x.x.99 tcp eq https

class-map type http loadbalance match-any L7_Server_URL

2 match http url .*

policy-map type loadbalance first-match L7_Server_LBPolicy

description Server Layer 7 Load Balancing Policy

class L7_Server_URL

sticky-serverfarm Server_Cookie_Sticky_Group

policy-map type loadbalance first-match L7_Server_LBPolicy_Auth

class L7_Server_URL

serverfarm ServerAuth

policy-map type loadbalance first-match L7_Server_LBPolicy_HTTP

class L7_Server_URL

serverfarm ServerHTTP_Redirect

policy-map type inspect http all-match L7_URLCHECK_POLICY

class HTTP_URLCHECK_L7CLASS

permit

policy-map multi-match L4_FILTER_POLICY

description L$ Server URL AVAC CHECK

class L4_Server_HTTP

loadbalance vip inservice

loadbalance vip icmp-reply active

loadbalance vip advertise active

inspect http policy L7_URLCHECK_POLICY

policy-map multi-match L4_Server_LBPolicy

description L4 Server Load-Balancing Policy

class L4_Server_HTTP

loadbalance vip inservice

loadbalance policy L7_Server_LBPolicy_HTTP

loadbalance vip icmp-reply active

loadbalance vip advertise active

class L4_Server_HTTPS

loadbalance vip inservice

loadbalance policy L7_Server_LBPolicy

loadbalance vip icmp-reply

loadbalance vip advertise active

ssl-proxy server SSL_Server_Server

class L4_Server_Auth

loadbalance vip inservice

loadbalance policy L7_Server_LBPolicy_Auth

loadbalance vip icmp-reply

loadbalance vip advertise active

interface vlan 291

service-policy input L4_Server_LBPolicy

New Member

ACE URL Matching

Thank you for the nice solution. I just want to add to your post, that multiple "match http cookie secondary" statements are possible under the same class-map. Match-all keyword can be used for more granular class-map matching.

Lubomir

644
Views
10
Helpful
7
Replies
CreatePlease login to create content