08-24-2010 04:00 AM
Hi.
The configuration below is extracted from a working configuration where the ACE is doing SSL offload for a web service - this is pretty standard stuff.
What I have been asked to do is modify the configuration so that:
1) Any connections from an internal source (this will be the 10.0.0/8 and 17.16.0.0/16 range of IP's) can continue to access any URL.
2) Any other connections - which will be from an external source - are only allowed to access URL's beginning with /public and /downloads.
Can you please advise me on how to change this? If necessary, I can define a second VIP for the external connections and setup the DNS appropriately.
Thanks in advance
___________________________________________
crypto chaingroup WEBSERVER_CHAIN
cert WEBSERVER.CER
cert VERISIGN.CER
probe tcp WEBSERVER
port 7777
ssl-proxy service SSL_PROXY_WEBSERVER
key WEBSERVER.KEY
cert WEBSERVER.CER
chaingroup WEBSERVER_CHAIN
serverfarm host WEBSERVER
probe WEBSERVER
rserver SERVER1 7777
inservice
rserver SERVER2 7777
inservice
sticky http-cookie WEBSERVER_COOKIE WEBSERVER_StickyGroup
cookie insert browser-expire
replicate sticky
serverfarm WEBSERVER
class-map match-all WEBSERVER
10 match virtual-address 172.16.16.1 tcp eq https
policy-map type loadbalance first-match WEBSERVER_L7
class class-default
sticky-serverfarm WEBSERVER_StickyGroup
policy-map multi-match GlobalLB
class WEBSERVER
loadbalance vip inservice
loadbalance policy WEBSERVER_L7
loadbalance vip icmp-reply
ssl-proxy server SSL_PROXY_WEBSERVER
08-24-2010 05:31 AM
first make class maps to characterize the traffic:
class-map type http loadbalance match-all ten
2 match source-address 10.0.0.0 255.0.0.0
4 match http url .*
class-map type http loadbalance match-all seventeen
2 match source-address 17.16.0.0 255.255.0.0
4 match http url .*
class-map type http loadbalance match-any restrict
2 match http url /public.*
4 match http url /downloads.*
then use in load balance policy as follows:
policy-map type loadbalance first-match WEBSERVER_L7
class ten
sticky-serverfarm WEBSERVER_StickyGroup
class seventeen
sticky-serverfarm WEBSERVER_StickyGroup
class restrict
sticky-serverfarm WEBSERVER_StickyGroup
if you want to send outside users with other urls to a sorry page you would have a server in a serverfarm taht would do that and use it in a class class-default on the bottom of the load balance policy. The matches on load balance policy are top down so order is important.
08-24-2010 09:54 PM
As usual your posts are informative litrenta
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: