CSS11503 URL filtering

haver · ‎11-19-2003

Hi all,

I have a pair of redundant CSS11503 load-balancing two HTTP servers. I need to permit access to specific subset of URLs on those two HTTP servers to anybody on the Internet, while rest of the URLs should be allowed for specific range(s) of IP addresses.

- permit any to access /games/scores/*

- permit some/range to access /*

- deny the rest

I'm running a two-armed CSS setup, meaning a public VIP known by external users. Requests to the VIP are load-balanced on two internal/RFC1918 HTTP servers.

I'm running WebNS 7.20.

Anybody can shed some light into this issue?

Thanks,

haver

peucale · ‎11-19-2003

Hi,

the CSS is a 'communication enabling' device, not a 'communication forbidding' device. You can configure the CSS to distribute the load to different servers based on many different algorithms, but you cannot configure the CSS to deny request based on URLs/Source.

What the CSS can do is to deny requests from defined IP addresses. You have to use the ACL feature for this.

What I would do is to let the web servers decide what a user is allowed to see. This way you also can use advanced user authentication on the web servers.

Just let the CSS do what it is built for: distribute traffic.

-alex

Gilles Dufour · ‎11-19-2003

you could create 2 content rules with the same VIP address but different url:

ie:

owner mycompany

content web_all

vip 10.1.1.1

url "/*"

....

content web_restricted

vip 10.1.1.1

url "/games/scores/*"

...

Then create ACL like this

acl 1

clause 5 deny any destination content web_restricted

clause 10 permit any any destination content mycompany/web_all

The trick is to use 'content ' as the destination.

This is not complete but you should get the idea from this.

Regards,

Gilles.

haver · ‎11-20-2003

Thanks Gilles. I imagined this could be done this way.

// haver