Application Delivery (ADX)

How to block some URLs with the ServerIron/ADX using CSW

by on ‎05-10-2009 11:00 PM - edited on ‎10-30-2013 05:45 PM by bcm1 (955 Views)

Summary

 

We want to use the ServerIron/ADX to block the access to a given set of URLs. Client requesting these URLs should get a RESET back. Other traffic should get load balanced normally.

 

Specifics

We will use Layer-7 switching using csw to achieve this. Please remember the  following things:

 

  • Each request which does not match any of the configured prefixes is going to  a default group/pool of real servers (the example is using the group with group-id  100).
  • The example is based on a group/pool with a single server in only – it is  possible to have multiple servers in the group. The ServerIron is going to load  balance in between the real servers in the selected group/pool in case there are  multiple servers in the group.

 

The virtual server receiving the request is the one with IP address  192.168.9.100. Requests with the prefixes /secret, /private and /secure needs to get blocked. All the rest of the requests will go to real server rs201 (192.168.8.201).

 

Sample Code/Configuration

 

csw-rule "secret" url prefix "/secret" case-insensitive
csw-rule "private" url prefix "/private" case-insensitive
csw-rule "secure" url prefix "/secure" case-insensitive
!
csw-policy "BlockIt" case-insensitive
match "secret" reset-client
match "private" reset-client
match "secure" reset-client
default forward 201
!
server real rs201 192.168.8.201
port http
port http url "HEAD /"
port http group-id  201 201
!
server virtual vs100 192.168.9.100
port http
port http csw-policy "BlockIt"
port http csw
bind http rs201 http
!

Debugging

 

1. Use some clients to send requests with known URLs and check the statistics related to the defined csw rule. Each rule does have a counter to show the amount of hits related to this rule.

 

Command: show csw-policy BlockIt


Verify that correctness of the stats based on your requests.

 

2. Ensure clients requesting URLs starting with /secret, /secure and /private do get a RESET back instead of the content.

Contributors