Salman Butt Posted March 27, 2023 Share Posted March 27, 2023 I had create a Content Switching Virtual Service with a rule that only allows traffic to pass through if it matches a certain hostname. I can easily accomplish this by using HTTP.REQ.HOSTNAME.EQ("google.com"). However this is not scalable and after adding a few FQDN to the list i get a "maximum limit error".Would anyone know what will be therecommended way will be to accomplish this, filter a VIP and only allow certain group of hostnames to pass through. Link to comment Share on other sites More sharing options...
Helge Brust Posted March 28, 2023 Share Posted March 28, 2023 Hi,if you want to stay with one cs policy for this I would use a pattern set for this. create a pattern set with all FQDNsset your policy to HTTP.REQ.HOSTNAME.EQALS_ANY("<patternsetname>")In this chapter of docs you can see how it works. Link to comment Share on other sites More sharing options...
Terry Hooper Posted March 28, 2023 Share Posted March 28, 2023 To add to this, using pattern set functionality will result in a less resource-intensive expressions matching process 😉 Link to comment Share on other sites More sharing options...
Salman Butt Posted March 28, 2023 Author Share Posted March 28, 2023 Thank you so much @Terry Hooper and @Helge Brust . That seems to have resolved my issue. Didnt know this feature existed, the appending to expression did seem redundant. For the community heres what it looks like on the CLI:1. create pattern set # add policy patset <pattern_name>add policy patset pattern_svc2. bind policy to pattern set# bind policy patset <pattern_name> <hostname> -index <index_value> -charset ASCIIbind policy patset pattern_svc fedoramagazine.org -index 1 -charset ASCII3. your content switching policy# add cs policy <cs_policy> -rule "HTTP.REQ.HOSTNAME.EQUALS_ANY("<pattern_name>")" -action <action_name>add cs policy cs_svc_pol -rule "HTTP.REQ.HOSTNAME.EQUALS_ANY("pattern_svc")" -action cs_svc_act4. create a corresponding action # add cs action <action_name> -targetLBVserver <target_lb_vserver>add cs action cs_svc_act -targetLBVserver lb_svc_ssl-------------------------------------------------Also, if you have a file with the hostnames, here a quick and dirty script to generate the command, so you can run it on the CLI:(Attached) Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now