08-24-2010 04:00 AM
Hi.
The configuration below is extracted from a working configuration where the ACE is doing SSL offload for a web service - this is pretty standard stuff.
What I have been asked to do is modify the configuration so that:
1) Any connections from an internal source (this will be the 10.0.0/8 and 17.16.0.0/16 range of IP's) can continue to access any URL.
2) Any other connections - which will be from an external source - are only allowed to access URL's beginning with /public and /downloads.
Can you please advise me on how to change this? If necessary, I can define a second VIP for the external connections and setup the DNS appropriately.
Thanks in advance
___________________________________________
crypto chaingroup WEBSERVER_CHAIN
cert WEBSERVER.CER
cert VERISIGN.CER
probe tcp WEBSERVER
port 7777
ssl-proxy service SSL_PROXY_WEBSERVER
key WEBSERVER.KEY
cert WEBSERVER.CER
chaingroup WEBSERVER_CHAIN
serverfarm host WEBSERVER
probe WEBSERVER
rserver SERVER1 7777
inservice
rserver SERVER2 7777
inservice
sticky http-cookie WEBSERVER_COOKIE WEBSERVER_StickyGroup
cookie insert browser-expire
replicate sticky
serverfarm WEBSERVER
class-map match-all WEBSERVER
10 match virtual-address 172.16.16.1 tcp eq https
policy-map type loadbalance first-match WEBSERVER_L7
class class-default
sticky-serverfarm WEBSERVER_StickyGroup
policy-map multi-match GlobalLB
class WEBSERVER
loadbalance vip inservice
loadbalance policy WEBSERVER_L7
loadbalance vip icmp-reply
ssl-proxy server SSL_PROXY_WEBSERVER
08-24-2010 05:31 AM
first make class maps to characterize the traffic:
class-map type http loadbalance match-all ten
2 match source-address 10.0.0.0 255.0.0.0
4 match http url .*
class-map type http loadbalance match-all seventeen
2 match source-address 17.16.0.0 255.255.0.0
4 match http url .*
class-map type http loadbalance match-any restrict
2 match http url /public.*
4 match http url /downloads.*
then use in load balance policy as follows:
policy-map type loadbalance first-match WEBSERVER_L7
class ten
sticky-serverfarm WEBSERVER_StickyGroup
class seventeen
sticky-serverfarm WEBSERVER_StickyGroup
class restrict
sticky-serverfarm WEBSERVER_StickyGroup
if you want to send outside users with other urls to a sorry page you would have a server in a serverfarm taht would do that and use it in a class class-default on the bottom of the load balance policy. The matches on load balance policy are top down so order is important.
08-24-2010 09:54 PM
As usual your posts are informative litrenta
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide