06-10-2008 03:33 AM
Hi there,
I have 2 servers loadbalanced using ssl. I have a few URL's which I would like to exclude from the ssl:
/view/avac_message.cfm?denied=safeSurfOn
/view/avac_message.cfm?denied=illegal
/view/avac_message.cfm?denied=blacklist
The content switch seems to have an issue with special characters like . ? =
I have tried encapsulating them in [.] but still comes up invalid
General idea is as follows:
1. Class Map to match the URL
(config)# class-map type http inspect HTTP_URLCHECK_L7CLASS
host1/Admin(config-cmap-http-insp)# match url *avac_message[.]cfm[?]denied=safeSurfOn
host1/Admin(config-cmap-http-insp)# match url *avac_message[.]cfm[?]denied=illegal
host1/Admin(config-cmap-http-insp)# match url *avac_message[.]cfm[?]blacklist
2. Layer 7 Policy Map to apply the match
host1/Admin(config)# policy-map type inspect http all-match L7_FILTERHTML_POLICY
host1/Admin(config-pmap-ins-http)# class L7_HTML_ALLOW_CLASS
host1/Admin(config-pmap-ins-http-c)# permit log
host1/Admin(config-pmap-ins-http-c)# exit
3. Layer 3 and 4 Policy Map to activate the traffic classifications
host1/Admin(config)# policy-map multi-match L4_FILTER_POLICY
host1/Admin(config-pmap)# class L4_MATCH_HTTP_URL_CLASS
host1/Admin(config-pmap-c)# inspect http policy L7_FILTERHTML_POLICY
host1/Admin(config-pmap-c)# exit
host1/Admin(config-pmap)# exit
host1/Admin(config)#
Can anyone advise a workaround to apply these url statements please?
Thanks
06-10-2008 08:36 AM
Hi,
To escape special characters that have another meaning in a regular expression you need to put a backslash before them - e.g. \. \?
HTH
Cathy
06-10-2008 11:44 AM
Hi
The '?' has a special meaning in the URL. It means the end of the main URL and the beginning of the URL query.
Its not possible to match ? in the url.
One option could be using secondary cookie matching in ACE.
class-map type http loadbalance match-any xyz
2 match http cookie secondary denied cookie-value safeSurfOn
Thanks
Syed
06-10-2008 03:20 PM
Very good comment and suggestion Syed.
I just want to add that I tested this suggested config and it works perfectly.
Gilles.
06-12-2008 02:34 AM
Problem solved, I used the below syntax and the ACE accepted this. Just need to test now
class-map type http inspect match-any HTTP_URLCHECK_L7CLASS
100 match url .*denied=safeSurfOn
200 match url .*denied=illegal
300 match url .*denied=blacklist
400 match url .*logo.jpg
Big thanks to all who responded !!!!
06-12-2008 09:44 AM
I think it wont work.
As I said earlier URL ends at ? delimeter.
Any ways try it and let me know.
Syed Iftekhar Ahmed
06-12-2008 05:16 PM
OK, not to confuse the issue, but I have applied the below config and I cannot seem to get the url match policy to allow traffic to pass as http, while forcing all other traffic to redirect as https
Can Anyone tell me what I am doing wrong here please?:
rserver host Server01
description Primary Server
ip address 10.x.x.1
conn-limit max 2000000 min 1500000
inservice
rserver host Server02
description Secondary Server
ip address 10.x.x.2
conn-limit max 2000000 min 1500000
inservice
rserver redirect Server_Redirect
webhost-redirection https://www.mysite.ie
inservice
serverfarm host ServerAuth
rserver Server01 3807
inservice
rserver Server02 3807
inservice
serverfarm redirect ServerHTTP_Redirect
rserver Server_Redirect
inservice
serverfarm host ServerServers
rserver Server01 80
inservice
rserver Server02 80
inservice
sticky http-cookie server-cookie Server_Cookie_Sticky_Group
cookie insert
timeout 21
serverfarm MyServers
class-map type http inspect match-any HTTP_URLCHECK_L7CLASS
100 match url .*denied=safeSurfOn
200 match url .*denied=illegal
300 match url .*denied=blacklist
400 match url .*logo.jpg
class-map match-any L4_Server_Auth
description match traffic for Authentication
2 match virtual-address 10.103.3.9 tcp eq 3807
class-map match-any L4_Server_HTTP
description match traffic for VIP and HTTP Traffic
2 match virtual-address 10.103.3.9 tcp eq www
class-map match-any L4_Server_HTTPS
description match traffic for VIP and HTTPS Traffic
2 match virtual-address 10.x.x.99 tcp eq https
class-map type http loadbalance match-any L7_Server_URL
2 match http url .*
policy-map type loadbalance first-match L7_Server_LBPolicy
description Server Layer 7 Load Balancing Policy
class L7_Server_URL
sticky-serverfarm Server_Cookie_Sticky_Group
policy-map type loadbalance first-match L7_Server_LBPolicy_Auth
class L7_Server_URL
serverfarm ServerAuth
policy-map type loadbalance first-match L7_Server_LBPolicy_HTTP
class L7_Server_URL
serverfarm ServerHTTP_Redirect
policy-map type inspect http all-match L7_URLCHECK_POLICY
class HTTP_URLCHECK_L7CLASS
permit
policy-map multi-match L4_FILTER_POLICY
description L$ Server URL AVAC CHECK
class L4_Server_HTTP
loadbalance vip inservice
loadbalance vip icmp-reply active
loadbalance vip advertise active
inspect http policy L7_URLCHECK_POLICY
policy-map multi-match L4_Server_LBPolicy
description L4 Server Load-Balancing Policy
class L4_Server_HTTP
loadbalance vip inservice
loadbalance policy L7_Server_LBPolicy_HTTP
loadbalance vip icmp-reply active
loadbalance vip advertise active
class L4_Server_HTTPS
loadbalance vip inservice
loadbalance policy L7_Server_LBPolicy
loadbalance vip icmp-reply
loadbalance vip advertise active
ssl-proxy server SSL_Server_Server
class L4_Server_Auth
loadbalance vip inservice
loadbalance policy L7_Server_LBPolicy_Auth
loadbalance vip icmp-reply
loadbalance vip advertise active
interface vlan 291
service-policy input L4_Server_LBPolicy
09-11-2012 07:11 AM
Thank you for the nice solution. I just want to add to your post, that multiple "match http cookie secondary" statements are possible under the same class-map. Match-all keyword can be used for more granular class-map matching.
Lubomir
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide