Backend ACLs

ACLs (Access Control Lists) allow your HTTP and SSL ADCs to route traffic to multiple Backends based on several selectable rules. This allows you to do things like sending different hostnames to different backends.

ACL Groups are available under the ADC Addons menu item.

Configuration

When you select multiple backends you must then change the "When" column to one of the predefined match types. Attach a match type to each selected backend in order to tell them how to route traffic.

If you get an HTTP 503 error afterwards it means it could not select a valid route for your traffic, e.g. no ACLs matched.

Test Your Regex

To test patterns for regex type rules, you can make use of a tool like Regexropen in new window.

ACL Groups

You may create ACL groups which contain many values (right-hand side) for ACL matching under the ADC addons menu. This typically applies to multiple hostnames going to one backend, but can be regex, IP addresses, or anything matching.

Rule Types

You are given a choice of 6 rule types when matching HTTP/SSL content for routing. These are detailed below:

RuleExplanation
HostnameThe exact hostname sent in the HTTP Host Header. E.g. www.snapt.net
Hostname RegexA regular expression match of the HTTP Host Header. E.g. .*.snapt.net
Exact PathThe exact path with no trailing content. E.g. /full/path.html
Path BeginningThe start of the path with any trailing content. E.g. /images/
Path RegexA regular expression based on the path. E.g. .*.(jpg)$
SNI HostThe SSL SNI host name that was presented for use with Layer 4
SNI L7 HostThe SSL SNI host name that was presented for use with Layer 7 (terminated SSL)
Hostname and Path BeginningThe hostname and start of the path. E.g. www.snapt.net/images/
Hostname and Exact PathThe hostname and exact path. E.g. www.snapt.net/index.php
Source IP(s)Route matching source IP addresses to this backend, e.g. "192.168.0.0/16 10.0.0.0/8 1.1.1.1".

Interface Example

Screenshot

Examples

We have several examples to assist with creating the most common types of content routing.

RuleExampleDetails
Hostnameexample.comMatch example.com exactly
Hostname Regex^dev.*Match anything starting with dev - e.g. https://dev.example.com
Exact Path/loginMatch /login exactly - e.g. https://example.com/login
Path Beginning/imagesMatch anything in the /images path - e.g. https://your.website.com/images/dog.jpg
Path Regex^/api/v(.*)/cars$Match /api/v*/cars as a wildcard - e.g. https://your.website.com/api/v3/cars
SNI Hostexample.comMatch example.com exactly, as requested by a browser or API tool
SNI L7 Hostexample.comMatch example.com exactly, as requested by a browser or API tool
Source IP(s)10.0.0.0/8Route any traffic from 10.0.0.0/8 to this backend. Can use ACL Group for multiple.

HTTPS Passthrough

Typically, only HTTP-based ADCs (such as SSL, HTTP, API, Agent, etc) can use ACLs. However, you can use Source IPs and Layer 4 SNI to route HTTPS traffic to a backend in the layer 4 mode HTTPS pass-through ADC.

We're Here To Help

For assistance with writing Backend ACLs, submit a support ticketopen in new window and the Snapt team will happily assist.