Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3207
Views
0
Helpful
2
Replies

Cisco ACE: SSL Termination + URL filtering

v.spirichev
Level 1
Level 1

‎08-14-2012 08:56 AM

We have Cisco ACE 4710 Appliance.

You must implement two tasks:

1) SSL Termination - is implemented.

2) URL Filtering

a url to which the service is implemented SSL Termination his address https://www.test.com (internal address http://192.168.1.250).

We need to carry only access to addresses and https://www.test.com/index.html https://www.test.com/docs/index.php.

All other locations, for example https://www.test.com/admin/ to block.

How to implement this scheme?

I would be very grateful for any help

Labels:
0 Helpful
2 Replies 2

sivaksiv
Cisco Employee
Cisco Employee

‎08-14-2012 09:24 AM

Hi,

Here is a sample config. Traffic matching 192.168.1.250:443 will be SSL offloaded and then  will be loadbalanced using rservers in Serverfarm "APP1-SFARM" if the request includes "/index"or "/docs"

ssl-proxy service APP1-SSL-PROXY

key default-key.pem

cert default-cert.pem

class-map match-all APP1-443-VIP

2 match virtual-address 192.168.1.250 tcp eq https

class-map type http loadbalance match-any APP1-URLMAP

2 match http url /index/.*

3 match http url /docs/.*

policy-map type loadbalance first-match APP1-Policy

class APP1-URLMAP

serverfarm APP1-SFARM

policy-map multi-match VIPS-VLAN79

class APP1-443-VIP

loadbalance vip inservice

loadbalance vip icmp-reply active

loadbalance policy APP1-Policy

ssl-proxy server APP1-SSL-PROXY

As you can see traffic will be SSL offloaded and then  will be loadbalanced using rservers in Serverfarm "APP1-SFARM" if the request includes "/index" and you can use another L7 class-map to block the URL /admin and direct the requests to a dummy / redirect server farm respnds 404

Sample config URL filtering:

http://docwiki.cisco.com/wiki/URL_Load_Balancing_Using_One_Arm_Mode_with_Source_NAT_on_the_Cisco_Application_Control_Engine_Configuration_Example

SSL termination:

http://docwiki.cisco.com/wiki/SSL_Termination_on_the_Cisco_Application_Control_Engine_Without_an_Existing_Chained_Certificate_and_Key_in_Routed_Mode_Configuration_Example

Hope this helps!!!

-

Siva

0 Helpful

Giorgio Romano
Level 1
Level 1

‎05-10-2018 04:21 AM

Hello to Everyone,

I have the same problem.

I have to make the "Host http-header" filtering on SSL connection to choose the correct serverfarm destination.

Do I need to implement an SSL termination on ACE for making "Host http-header" filtering?

 

thank you

 

GR

 

 

0 Helpful
Customers Also Viewed These Support Documents