VMware Networking Community
vmmedmed
Enthusiast
Enthusiast
‎02-14-2017 02:06 PM
Jump to solution

NSX Load Balancer/Application Rule - limit to specific URL

Using an application rule - is it possible to only permit traffic to say www.acme.com/foo.html but deny all other

http requests to the Virtual Server? What would that rule look like? Thank you.

0 Kudos
1 Solution

Accepted Solutions
bayupw
Leadership
Leadership
‎02-14-2017 03:20 PM
Jump to solution

From some examples I can see that url_beg normally for something like http:// or something in the beginning

Perhaps path_dir or path_end more suitable for your case

Something like below

using path_end

acl is_foo path_end -i /foo.html

block if!is_foo

or

acl is_foo path_end -i /foo.html

tcp-request connection reject if!is_foo

using path_dir

acl is_foo path_dir -i foo.html

block if!is_foo

or

acl is_acme path_dir -i foo.html

tcp-request connection reject if!is_foo

Bayu Wibowo | VCIX6-DCV/NV
Author of VMware NSX Cookbook http://bit.ly/NSXCookbook
https://github.com/bayupw/PowerNSX-Scripts
https://nz.linkedin.com/in/bayupw | twitter @bayupw

View solution in original post

0 Kudos
4 Replies
bayupw
Leadership
Leadership
‎02-14-2017 02:56 PM
Jump to solution

You can try something like below

acl is_acme hdr(Host) -i www.acme.com

tcp-request connection reject if!is_acme

or

acl is_acme hdr(Host) -i www.acme.com

block if!is_acme

More about HAProxy ACL here: ACLs: Access Control Lists — HAProxy Technologies documentation

Bayu Wibowo | VCIX6-DCV/NV
Author of VMware NSX Cookbook http://bit.ly/NSXCookbook
https://github.com/bayupw/PowerNSX-Scripts
https://nz.linkedin.com/in/bayupw | twitter @bayupw
0 Kudos
vmmedmed
Enthusiast
Enthusiast
‎02-14-2017 03:05 PM
Jump to solution

So in my example it looks like I could use HTTP_URL_SLASH e.g.


acl is_foo url_beg /foo.html

tcp-request connection reject if!is_foo


Does that look right?

0 Kudos
bayupw
Leadership
Leadership
‎02-14-2017 03:20 PM
Jump to solution

From some examples I can see that url_beg normally for something like http:// or something in the beginning

Perhaps path_dir or path_end more suitable for your case

Something like below

using path_end

acl is_foo path_end -i /foo.html

block if!is_foo

or

acl is_foo path_end -i /foo.html

tcp-request connection reject if!is_foo

using path_dir

acl is_foo path_dir -i foo.html

block if!is_foo

or

acl is_acme path_dir -i foo.html

tcp-request connection reject if!is_foo

Bayu Wibowo | VCIX6-DCV/NV
Author of VMware NSX Cookbook http://bit.ly/NSXCookbook
https://github.com/bayupw/PowerNSX-Scripts
https://nz.linkedin.com/in/bayupw | twitter @bayupw
0 Kudos
vmmedmed
Enthusiast
Enthusiast
‎02-14-2017 03:22 PM
Jump to solution

This is very helpful. Thanks!

0 Kudos