topic CSS 11500 source based access lists in Application Networking

CSS 11500 source based access lists

andrew-kearton — Mon, 28 May 2007 04:49:10 GMT

Hi, hope somebody can advise me on this request I have had from our server group.

We have the following setup:

Firewall <--VLAN2--> CSS <--VLAN1--> APPSERVER

The CSS is doing SSL termination for the domain www.abc.com. It then passes on the actual request via http to the application server (APPSERVER).

There is also a cleartext content rule and service, so if someone browses to http://www.abc.com they will be automatically redirected to https://www.abc.com/

What I would like to achieve, is some sort of ACL restriction based on the virtual directory the user is trying to browse to:

i.e only specific IP addresses can access the URL

https://www.abc.com/xyz

but any IP address can access the URLs

https://www.abc.com/* (with the exception of the above address)

Is this possible using a CSS? They are currently restricting access at the application server but wish to move it to a hardware solution if possible.

Thanks,

Andrew

Re: CSS 11500 source based access lists

Gilles Dufour — Mon, 28 May 2007 15:59:48 GMT

first, you need to create 2 separate rules to catch the corresponding directories.

ie:

content xyz

vip x.x.x.x

proto tcp

port 80

url "/xyz/*"

add service ...

active

content all

vip x.x.x.x

proto tcp

port 80

url "/*"

add service ...

active

Then you need create some acl to permit the traffic you want

acl 1

clause 10 permit any destination content owner/xyz prefer

clause 30 permit any any destination content owner/xyz

clause 99 permit any any destination any

apply all

The clause 10 tells the CSS to forward traffic from sent to page xyz to use server which can be a redirect service to a page that explains that the site is not allowed.

Gilles.

Re: CSS 11500 source based access lists

andrew-kearton — Fri, 13 Jul 2007 05:49:22 GMT

I have finally been allowed to attempt to implement the above changes, but am having trouble with matching the content rules for the directories. I am using a single CSS to terminate SSL, redirect http, and backend to an apps server, all on a single VIP using different TCP ports. I have had a number of problems trying to implement this, revolving around the ACL's. I have gone for a "back-to-basics" approach with the config, and my testing is showing that even though I am explicitly matching the content rule "mysystem/mysystem_mycompany_com" in the ACL, it is not being logged.

The relevant config is attached, as is the result of a "show acl"

Any help appreciated!

Re: CSS 11500 source based access lists

andrew-kearton — Fri, 13 Jul 2007 05:53:25 GMT

Config and "show acl" attached.

Re: CSS 11500 source based access lists

andrew-kearton — Fri, 13 Jul 2007 05:56:08 GMT

I realise I didn't include the layout of this system. It is:

INTERNET

Firewall <--INTERNETDMZ--> CSS

Firewall <--MIDDLEWAREDMZ--> APPSERVER

Re: CSS 11500 source based access lists

hostmaster — Sun, 15 Jul 2007 04:23:20 GMT

You don't need every rule to be L5 w/ url "/*". A L4 rule (vip & proto/port) will suffice to cover all traffic that doesn't match a more specific rule.

I'd suggest using a urql list for your private directories so that you can use a single rule to cover many url's.

Example:

urql privateurls

description "Private URLs -- not to be used from the Internet"

active

url 10

url 10 url "/directory1"

url 20

url 20 url "/directory2"

You'll add a statement in the rule that's like "url urql privateurls". If you're after matching on file extensions, then you'd use an eql list with 'url "/*" eql eqllistname'.

I'm not sure why your have that last ACL that permits everything. Sort of defeats the purpose of having the ACLs in the first place.

You should have one ACL that does 'permit any nql privatenets dest content owner/privateurqlrule' then another one that does a deny to everyone else on the same rule fto block access to the private urls.

Follow this up with an ACL that permits what traffic you're going to allow through from the Internet. I use a generic 'permit tcp any destination VIP-range/length eq http' and another one eq https.

Re: CSS 11500 source based access lists

andrew-kearton — Mon, 16 Jul 2007 00:00:50 GMT

Thanks for responding.

When I started my config, I originally had a list where the first clause allowed an NQL access to a secure directory, the second clause denied access to a secure directory for anyone, and the third clause allowed any source address to access anything, i.e:

acl 10

clause 10 permit any nql "securesite_allowed" destination content mysystem/mysystem_securesite

clause 30 deny any any destination content mysystem/mysystem_securesite prefer unauthorized_securesite

clause 99 permit any any destination any

My understanding is that as an ACL is matched top-down, the secure directory would only be accessible to those in the NQL as they would match clause 10, then any other attempts to that site would be denied by clause 30 and they would be redirected to the service unauthorized_securesite.

Then all other traffic to all other sites would be allowed by the final clause 99.

This ACL didn't work, and I didn't see any matches for either clause 10 or 30, only matches on clause 99.

To troubleshoot this, I configured the ACL as shown in the config I provided. The purpose of the ACL was to not achieve anything except log a hit to a particular content rule (website).

The main issue is that my explicit allow for all users to the content rule "mysystem/mysystem_mycompany_com" in the ACL is not getting logged as a hit.

Hope this is clearer.