The NSX Edge Load Balancer L7 Engine is based on HAProxy (OpenSource LoadBalancer, http://www.haproxy.org/), for this reason you can leverage the HAProxy Access Control List (ACL) capabilities to manage access to your applications.
In this article I show how a specific URL can be easily protected based on source IP address.
The goal of this exercise is to configure the NSX Load Balancer to serve a Public Application to all IP address, but to grant access to a specific application section (let’s pretend it’s a reserved area, don’t already protected by any form of authentication or segregation) only to a specific IP address.
The configuration I’ll use it’s the following:
- The jumphost I use to manage my lab infrastructure: IP address 192.168.110.10.
- The Load Balancer VIP configured on the Edge Gateway: IP address 172.16.10.10.
- The Web Servers I’m balancing: IP addresses 172.16.10.11 and 172.16.10.12. I use an Inline Load Balancer configuration.
The Load Balancer Pool is configured with the two Web Servers.
Web Servers are configured to listen on Port 80 – http.
Leveraging HAProxy ACLs, I create an Application Rule:
“src” is self explanatory, is the IP address I want to allow.
“path_beg -i” tells the Load Balancer to protect the URL which Directory part begins with /cgi-bin, ignoring case.
“block” instruct the Load Balancer on what to block. In this case, anything different from the trusted IP (!trusted_ip) that request the protected URL (protected_page) is blocked.
The Application Rule, once created, is applied to the Virtual Server configured with VIP 172.16.10.10.
The Virtual Server is configured to listen on Port 443 – https.
The Public URL of my Web Application is https://webapp.corp.com.
The Private URL of my Web Application is https://webapp.corp.com/cgi-bin/hol.cgi
In the following section I show the results of the test accessing the Application sections from different sources.
- Access from my jumphost with IP 192.168.110.10 to the Public URL of the application. Expected result: success.
- Access from my jumphost with IP 192.168.110.10 to the Protected URL of the application. Expected result: success.
- I have used curl on a Linux client to test access to Public and Protected URL from a different IP address. The IP address is shown in the screenshot.
Expected result accessing the Public URL: success.
Expected result accessing the Protected URL: failure.
Access to Public URL succesful.
Access to Protected URL unsuccesful.
All the tests worked as expected and I’ve obtained my goal to protect the access to a specific application URL.