Hello Daniel and many thanks for your help.

I'm reading the configuration examples. I understand that I need to use policy removing the default policy. Really, I need to permit one url to some source addresses and deny for all others!

Now, We are using a simple configuration with one virtual server and two reals.

vserver WWW

  virtual 192.168.150.143 tcp www

  serverfarm WWW

serverfarm WWW

  nat server

  nat client pool A

  real name XXXX

   inservice

  real name YYYY

   inservice

This virtual server offers more one web services, a.domain.com, b.domain.com, c.domain.com.

Using policies I need to permit access to URL a.domain.com/test to some sources only. All other host and URL are always permitted.

Regards.

Andrea

Hi Andrea,

You can still leave the default policy, it will be used for all those connections not matching any other. For those in which you need specific L7 processing (like matching a URL and an ACL), you will have to configure policies

Regards

Daniel

Hello Daniel.

What do you thing about my configuration? Only host with IP 10.0.0.10 can access the tests pages.

Thanks.

Regards.

Andrea

!

access-list 11 remark Permit access to URL

access-list 11 permit host 10.0.0.10

!

access-list 12 remark Deny access to URL

access-list 12 deny any log

!

map VLAVORO-HDR-MAP-1 header

match protocol http header Host header-value www.mydomain.com

!

map VLAVORO-URL-MAP-1 url

match protocol http url /tests/*

!

serverfarm VLAVORO-DUMMY

nat server

real name XXXXXXX-1

  inservice

!

policy VLAVORO-URL-1

client-group 11

url-map VLAVORO-URL-MAP-1

header-map VLAVORO-HDR-MAP-1

serverfarm VLAVORO

!

policy VLAVORO-URL-2

client-group 12

url-map VLAVORO-URL-MAP-1

header-map VLAVORO-HDR-MAP-1

serverfarm VLAVORO-DUMMY

!

vserver VLAVORO-WWW

no inservice

slb-policy VLAVORO-URL-1

slb-policy VLAVORO-URL-2

serverfarm VLAVORO

inservice

!

Hi Andrea,

The "VLAVORO-URL-2" policy is useless. Since the client group is associated with a deny all ACL, it will never be matched.

With this configuration, connections will either match the "VLAVORO-URL-1" policy (if they meet the requirements) or be load balanced using the default serverfarm (the one configured under VLAVORO-WWW)

Regards

Daniel

Hello Daniel and many thanks for your comments.

Sorry but I'm not able to find any other ideas to solve this problem.

Regards.

Andrea

Hi Andrea,

The problem is I don't really understand what your requirements are. If you just want to allow what matches "VLAVORO-URL-1" and block all the rest, then it would be enough to remove the serverfarm from under the vserver.

If you need a more specific scenario, please explain your exact needs I will try to help

Daniel

Hi Daniel.

This is my configuration...

vserver WWW

  virtual 192.168.150.143 tcp www

  serverfarm WWW

serverfarm WWW

  nat server

  nat client pool A

  real name XXXX

   inservice

  real name YYYY

   inservice

This vserver offers more web services, a.domain.com, b.domain.com, c.domain.com.

I need to permit access to URL a.domain.com/tests to some hosts:  to do this I define the policy VLAVORO-URL-1. Then I need to deny access  to the same URL for all others.

Finally, for all other URL use the default.

Many thanks.

Regards.

Andrea

Hi Daniel and many thanks again.

Reading the configuration guide I understand that I must associate a server farm with a policy. Because I need to drop connections simply I don't associate a farm.

Regards.

Andrea

Hi Andrea,

Yes, if you don't associate a serverfarm with a policy, anything matching it will just be dropped.

Daniel

Many many thanks Daniel.

Regards.

Andrea