ACE url tampering and other security capabilities

Tyrone Van Der Haar · ‎03-03-2011

Hi,

I was wondering if anyone knows weather it's possible with the ACE to secure administrative/backend urls from the internet? ie. https://x.company.com/IGGS/Admin I would like to block access to this url from the internet for example. I have read the documentation but it only mentions HTTP deep packet inspection and alot of RFC stuff

Regards

Tyrone

Tyrone Van Der Haar · ‎03-07-2011

I can answer myself because I finally found a link to another post.

The following will restrict certain source addresses from accessing certain URL via the ACE, I have tried this in one armed-mode, but should work even with routed-mode.

### Also important to notice is that doing Layer-7 loadbalancing with ssl the ACE will need to terminate the tunnel otherwise all traffic passed the ACE encrypted###

class-map type http loadbalance match-all ten

2 match source-address 10.0.0.0 255.0.0.0

4 match http url .*

class-map type http loadbalance match-all seventeen

2 match source-address 17.16.0.0 255.255.0.0

4 match http url .*

class-map type http loadbalance match-any restrict

2 match http url /public.*

4 match http url /downloads.*

then use in load balance policy as follows:

policy-map type loadbalance first-match WEBSERVER_L7 class ten sticky-serverfarm WEBSERVER_StickyGroup class seventeen sticky-serverfarm WEBSERVER_StickyGroup class restrict sticky-serverfarm WEBSERVER_StickyGroup

if you want to send outside users with other urls to a sorry page you would have a server in a serverfarm taht would do that and use it in a class class-default on the bottom of the load balance policy. The matches on load balance policy are top down so order is important.