One VIP, several websites
andimorris
Member ✭
in aFleX
Hi all,
apologies for cross posting. I think this might get more luck in the AFlex forum rather than the General forum.
can somebody please advise me on the best approaches for the following two scenarios? I can’t figure out whether aflex, http filters, WAF, or a combination of the three are the way to go.
Scenario 1:
One VIP reverse proxying one web server. This web server has several different websites with differing URLS (e.g website1.domain.com, website2.domain.com), using a mixture of http and https. If possible I’d like the A10 to only allow access to specific URLS.
Scenario 2:
One VIP reverse proxying one web server. The web server has several different websites with differing paths (e.g. website.domain.com/path1 website.domain.com/path2). All of which are https through to the server. Again I’d like A10 to restrict the paths available.
Any advice would be appreciated.
apologies for cross posting. I think this might get more luck in the AFlex forum rather than the General forum.
can somebody please advise me on the best approaches for the following two scenarios? I can’t figure out whether aflex, http filters, WAF, or a combination of the three are the way to go.
Scenario 1:
One VIP reverse proxying one web server. This web server has several different websites with differing URLS (e.g website1.domain.com, website2.domain.com), using a mixture of http and https. If possible I’d like the A10 to only allow access to specific URLS.
Scenario 2:
One VIP reverse proxying one web server. The web server has several different websites with differing paths (e.g. website.domain.com/path1 website.domain.com/path2). All of which are https through to the server. Again I’d like A10 to restrict the paths available.
Any advice would be appreciated.
0
Comments
You can use an HTTP template and use host switching, don't set a default servicegroup in the config and based on the "host header" only the hostnames specified in your host switching config will be allowed.
On the HTTPS side, this template will also get applied, but only after the SSL session is established. If you want to block "SSL" connections to hostnames that you do not host or specific ones you want to block, you need to use SNI hooks in aFlex.
For scenario 2, if you just want to filter paths, and the hostname is the same, you can use "Application Switching"... similar to "Host Switching" also in the HTTP Template.
You can't use host and app switching together in the same template.
For host and app switching together I would use aFlex... switch on Host followed by a switch on URI.