we are trying to replace our existing reverse proxy wih MWG7.
Unfortunately I have some trouble with the ruleset.
That's what we currently try to migrate to MWG:
Here is what we have configure so far:
RuleSet_internal_address1 (URL.Destination.IP equals external_address1)
-forward (request) (URL.Path equals "example_urlpath1" OR example_urlpath2"
URL.Path equals "/example_urlpath1" OR URL.Path equals "example_urlpath1/"
Event= Set URL.Path = "/internal_urlpath1"
URL.Path equals "example_urlpath2" OR URL.Path equals "example_urlpath2/"
Event= Set URL.Path = "/internal_urlpath2"
Event= Enable Next Hop Proxy <internal.address1>
RuleSet_internal_address2 (URL.Destination.IP equals external_address1)
-forward (request) (URL.Path equals "/example_urlpath3")
URL.Path equals "/example_urlpath3" OR " URL.Path equals "example_urlpath3/"
Events= Set URL.Path = "/internal_urlpath3"
Event= Enable Next Hop Proxy <internal.address2>
These RuleSets don't work together for some reason, one RuleSet by itself (disable other) works fine.
It seems that Rule Criteria -forward (URL.Path "example_urlpath" doesn't match and the request runs through both rulsets.
Does anybody have an idea or other solution?
for both Rule Sets you use "URL.Destination.IP equals external_address1". Is this a typo?
Can we probably geta copy of the Rules to have a look?
I had a quick look and I think you probably have messed up with the properties/criteria here.
Have a look at the below Rule Set:
In the criteria of the Rule Set you tell MWG "Only enter this Rule Set if URL.Path equals /example_path1 or /example_path2". So you will only enter this Rule set if the path is /example_pathX. But within the Rule set you say "Change the URL Path if the URL.Path equals /example_urlpath".
this will never trigger because either the path is /example_pathX, then you will never apply the rules within that Rule Set, or the path is "/example_urlpathX", then your rules WOULD trigger, but you will never enter the Rule Set because of the criteria set for it.
I would basically go ahead and change the way you build your Rule Set. I will try to make some screenshots and post them here.
Nachricht geändert durch asabban on 18.03.11 03:38:48 CDTNachricht geändert durch asabban on 18.03.11 03:39:51 CDT
One really big thing you need to be sure about is what "forwarding to" means.
If you say:
URL.Path equals "/example_urlpath1"
Event= Set URL.Path = "/internal_urlpath1"
This only works for a request like this:
Only this request is taken and this changes ONLY the request that is sent out by MWG to the Webserver:
If you access
this will no longer work.
I think this is more a static alias than a forward. There are several ways to "forward", but you need to know what you want to do.
I have been working on the "redirect path to a different server" thing, but I don´t think this works or at least I have not yet understood. Once the Client establishs an SSL connection to the Proxy, the Proxy will talk to the Webserver to build a connection. After this has been done the SSL Scanner will decrypt the traffic, so once we get access to the URL.Path attribute we alredy have an established SSL tunnel to the remote server, and we can´t move away from this. This works fine when talking HTTP to the remote server, but won´t work with HTTPS between Client <-> MWG AND MWG <-> Webserver.
If you can live with having HTTPS between Client <-> MWG and use HTTP between MWG <-> Webserver this should be working.
I have added a Rule Set for you which you may have a look into. It basically does the following:
Clients are accessing www.csm-testcenter.org or extranet.webwasher.com, both via HTTP and HTTPS. The DNS entries point to MWG, and on MWG there are two Rule Sets for different handling of these two URLs, e.g. two different "policies" are applied.
For the "www.csm-testcenter.org" I have created basic filtering Rule Sets and after that, call a "Redirect Rules" Ruleset, in which several "forwards" or "aliases" are called. The examples I hade are:
Access to http://www.csm-testcenter.org/Upload is pointing to a Subsite where Examples can be uploaded.
Access to http://www.csm-testcenter.org/Download is pointing to a Subsite where Examples can be downloaded.
Both "Aliases" are not accessible without those rules.
Then I have created a rule that redirects a complete folder. When you access to
you will see the Server replies with an error message:
"The requested URL /New_Directory/whatever/index.html was not found on this server."
You can see that "/Folder" is rewritten to "/New_Directory".
Then I have a disabled Rule Set which tries to redirect "/McAfee" to a different server. This does not yet work, I am having a look into this.
Last example is a "/Redirect". If you browse to
the MWG will respond back with a 302, which will cause the browser to open a seperate page.
The Rule Set and the exisiting Aliases work fine. Maybe you can have a look if that helps you to understand how to create a Rule Set that matches for your requirements.
AndreNachricht geändert durch asabban on 18.03.11 07:32:43 CDT
thanks for the rulset.
I tried it in our enviroment.
Unfortunately it looks like that the criteria in the rulset doesn't work.
It only matches when i enable the criteria in the rule.
I don´t really see a reason why this is not working. Looks good for me.
Would it be ok to stick with adding the criteria to the Rules for the moment?
Maybe this is a bug and we should file an SR for this.
Hi Andre, Hi Harry,
tested at my Reverse Proxy in my envirionment. The same behaviour.
Url.Path Rules are working within Rules but NOT within Rulesets.