Protect a specific URL using NSX Edge Services Gateway Load Balancer

The NSX Edge Load Balancer L7 Engine is based on HAProxy (OpenSource LoadBalancer, http://www.haproxy.org/), for this reason you can leverage the HAProxy Access Control List (ACL) capabilities to manage access to your applications.
In this article I show how a specific URL can be easily protected based on source IP address.

The goal of this exercise is to configure the NSX Load Balancer to serve a Public Application to all IP address, but to grant access to a specific application section (let’s pretend it’s a reserved area, don’t already protected by any form of authentication or segregation) only to a specific IP address.

The configuration I’ll use it’s the following:

  • The jumphost I use to manage my lab infrastructure: IP address 192.168.110.10.
  • The Load Balancer VIP configured on the Edge Gateway: IP address 172.16.10.10.
  • The Web Servers I’m balancing: IP addresses 172.16.10.11 and 172.16.10.12. I use an Inline Load Balancer configuration.

The Load Balancer Pool is configured with the two Web Servers.
Web Servers are configured to listen on Port 80 – http.

Leveraging HAProxy ACLs, I create an Application Rule:

“src” is self explanatory, is the IP address I want to allow.
“path_beg -i” tells the Load Balancer to protect the URL which Directory part begins with /cgi-bin, ignoring case.
“block” instruct the Load Balancer on what to block. In this case, anything different from the trusted IP (!trusted_ip) that request the protected URL (protected_page) is blocked.

The Application Rule, once created, is applied to the Virtual Server configured with VIP 172.16.10.10.
The Virtual Server is configured to listen on Port 443 – https.

The Public URL of my Web Application is https://webapp.corp.com.
The Private URL of my Web Application is https://webapp.corp.com/cgi-bin/hol.cgi
In the following section I show the results of the test accessing the Application sections from different sources.

  1. Access from my jumphost with IP 192.168.110.10 to the Public URL of the application. Expected result: success.

    Result: Success.
  2. Access from my jumphost with IP 192.168.110.10 to the Protected URL of the application. Expected result: success.

    Result: success.
  3. I have used curl on a Linux client to test access to Public and Protected URL from a different IP address. The IP address is shown in the screenshot.
    Expected result accessing the Public URL: success.
    Expected result accessing the Protected URL: failure.

    Results:
    Access to Public URL succesful.
    Access to Protected URL unsuccesful.

All the tests worked as expected and I’ve obtained my goal to protect the access to a specific application URL.