Currently in the process of implementing A10, to replace our ISA 2006 server.
Currently we use 1 external ip address for all our reverse proxied websites.
We want to setup one VIP for access to these internal websites.
All of these websites go over port 443 or port 80
Some of the websites are on seperate servers but a few are on the same back end servers.
So test1@example.com and Test2@example.com are on the same server but test3 and test4 are on different server, all using port 80 or 443.
I have configured the servers and a separate service group for each site.
How can I do this?
Would host switching or url switching work better.
I also have another question.
One of the 443 websites we only allow connections from certain IP address ranges and the same with a few of the port 80 websites.
So what is the selection criteria? Give us an example. But I assume you only have 1 IP for the VIP. And you host:
www.aaa.com
www.bbb.com
www.ccc.com
all on the same VIP. So you want the AX to accept traffic on the VIP and sort traffic to servers in service_group_aaa, service_group_bbb, and service_group_ccc accordingly?
If so, without having to do aflex scripts, the HTTP template is your best bet using HOST switching.
It depends on how you are hosting your websites. If you have the websites hosted as the following wwww.example.com/test1 and www.example.com/test2 then we would recommend URL Switching. If you have www.test1.example.com and www.test2.example.com, then we would recommend host switching. We can also use aFleX scripting as mentioned by TCP-me but lets start with HTTP template for now and see how we can fix the problem before we move to aFleX scripting.
For your second inquiry, I would recommend that you use the black/whitelisting feature. If B/Wlisting does fit your requirements then let me know and I can assist with aFleX scripting.
So it looks like host switching is the way, where do I find that in the GUI? or is it easier to do it in textpad and copy it into the CLI?
As I said some of our servers hold multiple websites on them, they are in Apache and I am not familiar with Apache, but looking at the ISA rules they are both going over 443 or 80 so I think the Apache service is doing the host switching.
these would be websites like http://test3.example.com and http://test4.example.
Hi, you can find it in the GUI under:
Config Mode, SLB, Template, Application, HTTP.
Then Add(or edit if you already have one in use) and scroll down to app switching.
From there you can play around with the different settings like match type.
When you have done this you bind the HTTP template to your virtual service like:
Config Mode, SLB, Service, Virtual Service, edit your virtual service and add the HTTP template.
okay so looks like host-switching is not going to do what I need it to do.
I am going to have to go with an AFlex rule and class lists
My question on class list is if i have 6 websites that will be accessed form the same ip address can i have one list.
At some stage if i want to limit access to one of the sites, i.e remove a range of allowed ip address. If I used one class list it would effect all the sites right?
So would it be better to have 6 seperate class list? alot of the ip addresses would be the same. Is there an easy way to manage this?
You should not create multiple lists. I think there are some new features with the memory tables but I did not work with it yet. I’m managing multiple lists with “stacked” aflex.
Here is for example my IP check:
when HTTP\_REQUEST \{
set ::NET\_ALLOW \{
10.0.0.0/8
1.2.3.4
5.6.7.8
9.10.11.12
\}
foreach net $::NET\_ALLOW \{
if \{ [IP::addr [IP::client\_addr] equals $net] \} \{
I could have skipped the net_allowed but I’m using it later in another aflex. You can do the same with website names. But be aware that the a10 doesnt like not existing variables. If you use a variable which wasn set the aflex just aborts without an error. Only axdebug shows it.