11-19-2003 01:13 AM
Hi all,
I have a pair of redundant CSS11503 load-balancing two HTTP servers. I need to permit access to specific subset of URLs on those two HTTP servers to anybody on the Internet, while rest of the URLs should be allowed for specific range(s) of IP addresses.
- permit any to access /games/scores/*
- permit some/range to access /*
- deny the rest
I'm running a two-armed CSS setup, meaning a public VIP known by external users. Requests to the VIP are load-balanced on two internal/RFC1918 HTTP servers.
I'm running WebNS 7.20.
Anybody can shed some light into this issue?
Thanks,
haver
11-19-2003 03:06 AM
Hi,
the CSS is a 'communication enabling' device, not a 'communication forbidding' device. You can configure the CSS to distribute the load to different servers based on many different algorithms, but you cannot configure the CSS to deny request based on URLs/Source.
What the CSS can do is to deny requests from defined IP addresses. You have to use the ACL feature for this.
What I would do is to let the web servers decide what a user is allowed to see. This way you also can use advanced user authentication on the web servers.
Just let the CSS do what it is built for: distribute traffic.
-alex
11-19-2003 06:42 AM
you could create 2 content rules with the same VIP address but different url:
ie:
owner mycompany
content web_all
vip 10.1.1.1
url "/*"
....
content web_restricted
vip 10.1.1.1
url "/games/scores/*"
...
Then create ACL like this
acl 1
clause 5 deny any
clause 10 permit any any destination content mycompany/web_all
The trick is to use 'content
This is not complete but you should get the idea from this.
Regards,
Gilles.
11-20-2003 12:52 AM
Thanks Gilles. I imagined this could be done this way.
// haver
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: