Forum Discussion
Piotr_Lewandows
Altostratus
AltostratusAPM ACL what is source for IP evaluated
Hi,
I am struggling with figuring out what is base for IP evaluated by for example Static ACL in APM. As far as understand ACL object in VPE are only evaluated during Access Policy processing (b...
dragonflymr
Cirrostratus
CirrostratusWell, I tried to set for example Static ACL object in VPE based on dst IP of host in Internet (I am talking about SWG-Explicit type Access Profile). Any IPs set as dst in ACL are ignored - quite logical as info about target host is actually inside HTTP in Method line (as in my original post it's like GET http://www.site.com/something/index.html HTTP/1.1). At the L4 level connection looks like that client IP:port -> VS IP:port (this VS is working as explicit proxy). If I set src IP in ACL it's evaluated correctly - given client IP is blocked or allowed.
So again problem is with enforcing real dst of proxy request - not known at L4 level. I as well would like to do that not only when Access Policy is processed but for each request - as far as I know it's only possible using ACCESS_ACL_ALLOWED - this is only iRule event fired for each request after policy was evaluated - using ACCESS::acl eval.
Based on my test ACLs in Access Policy are not working per request (opposite to how Per-Request Policy - this is working for each request - but I am not aware of any iRule event fired by Per-Request Policy :-().
To be honest my setup is a bit not standard. I am actually using VS with standard http profile (reverse-proxy not explicit type).
This is another approach to proxy chaining - I need to pass request to upstream explicit proxy. I already tried approach with HTTP::proxy disable for VS with HTTP profile type explicit but now I would like to try opposite approach. But ACLs in this case are ignoring real destination IP. That's why I wonder if any Access Session variable is used for ACL evaluation - if so I could just do DNS resolve per request and update session variable used for ACL evaluation.
Of course maybe it's dead end and there is better way?
Ultimate goal is to create L4 rules (like AFM) that are working for proxy type HTTP requests. In this case AFM rules can only see client IP but not real destination IP - this is explicit proxy VS IP.
So I wonder if using APM ACLs could be solution?
Piotr