03-14-2007 08:25 PM
Hi All,
I have a scenario where external users can access an URL called http://www.sm.com but at the same time, they cannot access http://www.sm.com/admin
Internal users can access any URL.
I am thinking of assigning 2 different VIPs and not open firewall for one of the VIP that belongs to admin page. I have the following config
service smweb01-80
port 80
keepalive frequency 10
ip address 10.20.20.11
keepalive type http
keepalive port 80
active
service smweb02-80
port 80
keepalive frequency 10
keepalive type http
keepalive port 80
ip address 10.20.20.12
active
content sm.com
vip address 10.10.16.22
add service smweb01-80
add service smweb02-80
protocol tcp
port 80
active
content sm.com-admin
vip address 10.10.16.23
add service smweb01-80
add service smweb02-80
protocol tcp
port 80
url "/admin/*"
active
Will this work? I want to make sure that I am on the right track.
thanks,
03-14-2007 09:26 PM
I realized that the above config will not work. DNS cannot resolve a single URL to 2 different VIPs.
Is it possible to redirect to a dummay page based on the source ip? If the source IP is from internal network, I would like to allow access to the admin page. If not, redirect them to a dummy page.
03-15-2007 12:46 AM
Acl on CSS can be used to select a particular service from content rule based on source ip
acl 1
clause 20 permit any
03-15-2007 01:37 AM
you should do something like this
service unauthorized
ip x.x.x.x
port 80
active
vip address 10.10.16.22
add service smweb01-80
add service smweb02-80
protocol tcp
port 80
url "/*"
active
content sm.com-admin
vip address 10.10.16.22
add service smweb01-80
add service smweb02-80
protocol tcp
port 80
url "/admin/*"
active
acl 1
clause 10 permit any
clause 20 permit any any destination content
clause 99 permit any any destination any
apply all
Where service unauthorized would be a server with a page displaying an error message.
This could also be a redirect to a url like
Gilles.
06-05-2007 07:20 PM
Gilles,
The ACL works only when it is http. For example, when external users enter http://www.sm.com/portal/admin, they get redirected to the service which has the redirect string https://www.sm.com/portal. But if external users enter https://www.sm.com/portal/admin, they get to the correct page since the redirect service I have gets hit only when it is http.
06-06-2007 01:38 AM
for https, the css does not see the url as it is encrypted. You can use an ssl module to decrypt the traffic if you have the server key and certificate and then apply the same rule for http and https.
otherwise, for https, you can only loadbalance without knowing where the browser is going.
Gilles.
06-06-2007 02:10 AM
The traffic gets decrypted by the SSL module since the server listens only on port 80. But when the traffic is https, I do not have any redirect service and all I have is a generic content rule that serves the main page as well as the directories. Here is my config
service redirect-sm
type redirect
keepalive type none
ip address 1.1.1.1
no prepend-http
domain https://www.sm.com
active
service redirect-portal
type redirect
keepalive type none
ip address 1.1.1.1
no prepend-http
redirect-string "https://www.sm.com/portal"
active
service redirect-portal-admin
type redirect
keepalive type none
ip address 2.2.2.2
no prepend-http
redirect-string "https://www.sm.com/portal/admin"
active
content sm-portal-admin-redirect
add service redirect-portal-admin
vip address 10.10.16.22
protocol tcp
port 80
url "/portal/admin"
active
content sm-portal-redirect
add service redirect-portal
vip address 10.10.16.22
protocol tcp
port 80
url "/portal"
active
content sm-redirect
add service redirect-sm
vip address 10.10.16.22
protocol tcp
port 80
url "/*"
active
content www.sm.com-decrypt
vip address 10.10.16.22
add service smweb01-80
add service smweb02-80
protocol tcp
port 81
active
content ssl-sm
add service ssl_serv1
port 443
protocol tcp
vip address 10.10.16.22
application ssl
active
acl 1
clause 10 permit any 10.0.0.0 255.0.0.0 destination content secure-msg/sm-portal-admin-redirect
clause 20 permit any any destination content secure-msg/sm-portal-admin-redirect prefer redirect-portal
clause 99 permit any any destination any
apply all
06-06-2007 08:06 PM
I think I got the idea. I need to make the decrypt content rule as a layer 5 rule checking for specific URL
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide