04-10-2014 04:36 AM
I have a requirement where ACE has to forbidden the HTTP access to the URL based on the strings in the URL /admin/ or /console/ . I believe I can match the traffic with the following class-map, but how to action on it to forbidden? example configurations?
class-map type http loadbalance match-any Forbidden-admin-access
2 match http url /admin/.*
3 match http url /console/.*
04-10-2014 07:28 AM
Hi Sven,
ACE cannot give response but can allow, drop or reset the connection based on L7 information or you can make ACE to forward the traffic to servers which can send those responses after the above condition is matched. But surely can "Silently" drop or reset the connection as well. Pasting configuration below for your reference.
If you want to send a reset, then you would need to use 'inspect' as such:
class-map type http inspect match-all CM-INSPECT
2 match header Host header-value "private.example.com"
class-map match-all VIP_WWW
2 match virtual-address 10.86.178.167 tcp eq www
policy-map type inspect http all-match PM-INSPECT
class CM-INSPECT
reset
policy-map type loadbalance first-match WWW_SERVERS
class class-default
serverfarm SERVER_FARM
policy-map multi-match VIP
class VIP_WWW
loadbalance vip inservice
loadbalance policy WWW_SERVERS
inspect http policy PM-INSPECT
loadbalance vip icmp-reply
Now, if you would rather not send a RST, but just drop it, then you would use 'loadbalance' as such:
class-map type http loadbalance match-any CM-DROP
2 match http header Host header-value "private.example.com"
class-map match-all VIP_WWW
2 match virtual-address 10.86.178.167 tcp eq www
policy-map type loadbalance first-match WWW_SERVERS
class CM-DROP
drop
class class-default
serverfarm SERVER_FARM
policy-map multi-match VIP
class VIP_WWW
loadbalance vip inservice
loadbalance policy WWW_SERVERS
loadbalance vip icmp-reply
Regards,
Kanwal
04-29-2014 08:00 PM
Hi Kanwalsi,
I'm facing the same issue but with the following difference:
I'd like to permit everyone access to ie. www.abc.com but allow access to www.abc.com/admin only to specific ip adresses. Please let me know if you have any suggestion.
Regards
04-29-2014 08:30 PM
Hi,
You should have L7 class map statement like:
class-map type http inspect match-all CM-inspect
2 match url /admin
And then call this class-map under policy map etc as shown above and check if it works fine. The action should be either DROP or RESET depending upon your preference.
Regards,
Kanwal
04-30-2014 12:31 PM
I guess it should work fine as to drop requests for everybody but the problem that I'm facing is:
- Everybody can access url "www.example.com" through vip 70.10.10.11 to serverfarm EXAMPLE-80.
- but only the 2 adresses 23.22.21.2 /23 can access "www.example.com/admin" ( same vip and serverfarm) and requests from other source Ip adresses are dropped.
Could you please be more specific in your suggestion.
Thanks.
05-01-2014 10:29 AM
Hi,
I am sorry but i didn't get your question here. Are you saying that everyone who comes to www.example.com is getting access but only two users are being dropped when they go to www.example.com/admin? Are all other users getting access to /admin too? Can you share the configuration in place?
Regards,
Kanwal
05-01-2014 02:17 PM
Hi,
In fact, no configurations have been made yet and what i described is what I want to accomplish. meaning:
Everybody should be permitted to access www.example.com
But only 2 source ip addresses should be permitted to access www.example.com/admin. All requests coming from other IP addresses should be dropped for that specific url.
Regards.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide