One web server, multiple URLs

andimorrisandimorris Member
Hi all,
can somebody please advise me on the best approaches for the following two scenarios? I can't figure out whether aflex, http filters, WAF, or a combination of the three are the way to go.

Scenario 1:
One VIP reverse proxying one web server. This web server has several different websites with differing URLS (e.g website1.domain.com, website2.domain.com), using a mixture of http and https. If possible I'd like the A10 to only allow access to specific URLS.

Scenario 2:
One VIP reverse proxying one web server. The web server has several different websites with differing paths (e.g. website.domain.com/path1 website.domain.com/path2). All of which are https through to the server. Again I'd like A10 to restrict the paths available.

Any advice would be appreciated.

Comments

  • edited May 2017
    Hi andimorris,

    I thought I saw a response to this from someone else, but there is no response on the thread here, so I'll give my 2 cents.

    For the host (domain) or URI switching, please consult the documentation for URL/Host switching. This will give you the functionality you are looking for. Please note, you cannot do both URI and domain switching on the same http template. So if you bind a URI switching template to a vport and also want to do host switching, you will have to use an aflex. On the v4.x code, there is already an aflex example for host switching provided.

    For the security, please check the WAF guide under the WAF deployment and logging examples section. Under learning mode there is a section called 'Generate Allowed URL Paths for the URL check'. This should also give you what you want. Other folks may have other options you can try, but I am sure that will achieve what you are looking to do as well.

    Good Luck!
    tj
  • diederikdiederik Member
    edited May 2017
    I answered this in the "One VIP, Several websites"...
    (the general issue I have with the WAF/Host Switching, is that it is all hostheader based, which requires decription of the SSL/TLS connection first.)

    You can use an HTTP template and use host switching, don’t set a default servicegroup in the config and based on the “host header” only the hostnames specified in your host switching config will be allowed.

    On the HTTPS side, this template will also get applied, but only after the SSL session is established. If you want to block “SSL” connections to hostnames that you do not host or specific ones you want to block, you need to use SNI hooks in aFlex.

    For scenario 2, if you just want to filter paths, and the hostname is the same, you can use “Application Switching”… similar to “Host Switching” also in the HTTP Template.
    You can’t use host and app switching together in the same template.
    For host and app switching together I would use aFlex… switch on Host followed by a switch on URI.
  • andimorrisandimorris Member
    edited May 2017
    Hi both,
    yes, apologies I posted it in both forums as I wasn't sure whether the solution would be AFlex specific or not.

    It appears we have a few options to do this. I'll consult the documentation, and also take your advice into consideration.

    Thanks for replying. I'll report back with results.
Sign In or Register to comment.