Not a big deal, but something I tried today mainly as an excuse to try this with NSX.
So here’s the situation. I have a pair of ADFS WAP servers that are load balanced using NSX. ADFS listens on port 443 so that’s the only port my VIP needs to handle.
However, we are also using Verisign DNS to failover between sites. So I want it such that if say both the ADFS servers in Site A are down, then Verisign DNS should failover my external ADFS records to Site B. Setting this up in Verisign DNS is easy but you need to be able to monitor the ADFS / WAP services externally from Verisign for this to work properly. Thus I had to setup my NSX WAP load balancer to listen on port 80 too and forward those to my internal ADFS servers. To monitor the health of ADFS Verisign will periodically query
http://myadfsserver/adfs/probe. If that returns a 200 response all is good.
Now here’s the requirement I came up with for myself. I don’t want any and every HTTP query on port 80 to be handled. Yes, if I try
http://myadfserver/somerandomurl it gives a 404 error but I don’t want that. I want any HTTP queries to any URL except
/adfs/probe to be redirected to
/adfs/probe. Figured this would be a good place to use application rules. Here’s what I came up with:
acl allowed_url url /adfs/probe
redirect location /adfs/probe if !allowed_url
NSX application rules follow the same format as HAProxy so their config guide is a very handy reference.
acl keyword defines an Access Control List. In my case the name of this ACL is
allowed_url (this is a name I can define) and it matches URLs (hence the
url keyword). Since I used
url it does an exact match, but there are derivatives like
url_dir etc. that I could have used. I can even do regexp matches. In my case I am matching for the exact URL
/adfs/probe. I define this as the ACL called
In the next line I use the
redirect keyword to redirect any requests to the
/adfs/probe location if it does not match the
allowed_url ACL. That’s all!
This of course barely touches what one can do with application rules, but I am pleased to get started with this much for now. :)