Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

Need to use an IP Whitelist on a SubVS

 

Information

 

Summary:

Needed to apply whitelist IPs on SubVS (sub virtual service)

Environment:

Product: LoadMaster

Version: Any

Platform: Any

Application: Any

Question/Problem Description:

First the need to send traffic to the SubVS using a content rule and matching off URLs.
Then the need is to whitelist a wide range of IPs within that SubVS.  

There are two methods of whitelisting IPs on the LoadMaster (LM): using access control lists (ACLs), content rules matching off of header 'src-ip'.  Cannot apply ACLs to a sub virtual service.  The other method of using content rules is limited by the number of characters that can be matched on within the rule which is 250 characters.

Steps to Reproduce:  
Error Message:  
Defect Number:  
Enhancement Number:  
Cause:  
Resolution: Used a combination of cascading virtual services (VS) and X-Forwarded-For (XFF) header to get the original client IP and blocked off of that.
  1. Create a content rule to remove the XFF header.XFF.png
  2. Create a content rule(s) to match off of IP(s).  These IPs will act as your whitelist.  How to Content Match by Source IP – Kemp Support (kemptechnologies.com)
  3. Make at least two VSs.  One will be the VS clients connect too, the other will be the cascaded VS where VS1 will send traffic to VS2.  VS2 is where you will assign the real servers (RS).
  4. For VS1:
    1. Assign that rule underadvanced properties > HTTP Header Modifications > Request Headers.  This ensures that any existing XFF header reaching the LM is stripped.
    2. Match and direct to a SubVS using content rules.  This can be done however the situation calls for.  Examples, matching off HTTP headers or URLs.
    3. Inside of the SubVS the real server (RS) here will be the IP of VS2.
    4. Inside of the SubVS, make sure underAdvanced properties > Add HTTP Headers is set to "X-Forwarded-For (No VIA)"
  5. For VS2:
    1. Assign the amount of SubVSs that are needed for this situation.  May need more then 1 if directing to different sites or URLs.
    2. Turn on content switching;Advanced properties > Content Switching.
    3. Assign the rules to match off of IPs that was done earlier to the desired SubVS.  The area to assign will be outlined in red like below.none.png
    4. UnderAdvanced properties enable a "Not Available Redirection Handling" code of 403 and set a desired message.This will act as the whitelist.  If no IPs are matched from the rules above, users will receive a 403 and that message.
    5. Inside of the SubVS(s), you will then assign the actual RS(s) the application is hosted on.
Workaround:  
Notes:

Content Rules – Kemp Support (kemptechnologies.com)

How to Load Balancing Multiple Sites with a Single IP address using SubVSs – Kemp Support (kemptechnologies.com)


Was this article helpful?
0 out of 0 found this helpful

Comments

Avatar

Security University of Bern

In my view, Progress needs to adapt the ACL/Packet Filter options to modern times.
It can't be that I have to build something with regex or header strping so that I can do simple black and white list filtering.
Fortunately, there is still the WAF (ModSecurity). There you can build a filter quite elegantly...
In this case you could activate the WAF on the VS with a custom rule, which checks for REQUEST_URI and REMOTE_ADDR with a chain. 
Why on the VS and not on the SubVS? There is a limit to the number of active WAF rules.
Hope this helps...

0