Not a big deal, but something I tried today mainly as an excuse to try this with NSX.
So here’s the situation. I have a pair of ADFS WAP servers that are load balanced using NSX. ADFS listens on port 443 so that’s the only port my VIP needs to handle.
However, we are also using Verisign DNS to failover between sites. So I want it such that if say both the ADFS servers in Site A are down, then Verisign DNS should failover my external ADFS records to Site B. Setting this up in Verisign DNS is easy but you need to be able to monitor the ADFS / WAP services externally from Verisign for this to work properly. Thus I had to setup my NSX WAP load balancer to listen on port 80 too and forward those to my internal ADFS servers. To monitor the health of ADFS Verisign will periodically query http://myadfsserver/adfs/probe
. If that returns a 200 response all is good.
Now here’s the requirement I came up with for myself. I don’t want any and every HTTP query on port 80 to be handled. Yes, if I try http://myadfserver/somerandomurl
it gives a 404 error but I don’t want that. I want any HTTP queries to any URL except /adfs/probe
to be redirected to /adfs/probe
. Figured this would be a good place to use application rules. Here’s what I came up with:
1 2 |
acl allowed_url url /adfs/probe redirect location /adfs/probe if !allowed_url |
NSX application rules follow the same format as HAProxy so their config guide is a very handy reference.
The acl
keyword defines an Access Control List. In my case the name of this ACL is allowed_url
(this is a name I can define) and it matches URLs (hence the url
keyword). Since I used url
it does an exact match, but there are derivatives like url_beg
and url_end
and url_len
and url_dir
etc. that I could have used. I can even do regexp matches. In my case I am matching for the exact URL /adfs/probe
. I define this as the ACL called allowed_url
.
In the next line I use the redirect
keyword to redirect any requests to the /adfs/probe
location if it does not match the allowed_url
ACL. That’s all!
This of course barely touches what one can do with application rules, but I am pleased to get started with this much for now. :)