enable ns feature cs
enable ns feature RESPONDER
add policy patset pki_static_content_allowed_paths
bind policy patset pki_static_content_allowed_paths ecdsaroot.crt -index 1 -charset ASCII
bind policy patset pki_static_content_allowed_paths ecdsaroot.crl -index 2 -charset ASCII
bind policy patset pki_static_content_allowed_paths ecdsaint.crt -index 3 -charset ASCII
bind policy patset pki_static_content_allowed_paths ecdsaint.crl -index 4 -charset ASCII
bind policy patset pki_static_content_allowed_paths root.crt -index 5 -charset ASCII
bind policy patset pki_static_content_allowed_paths rootcrl.crl -index 6 -charset ASCII
bind policy patset pki_static_content_allowed_paths int.crt -index 7 -charset ASCII
bind policy patset pki_static_content_allowed_paths intcrl.crl -index 8 -charset ASCII
add server defaultgwsvr 172.25.0.1
add service defaultgw defaultgwsvr HTTP 80 -gslb NONE -maxClient 0 -maxReq 0 -cip ENABLED cip-header -usip YES -useproxyport YES -sp OFF -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO
bind service defaultgw -monitorName ping
add serviceGroup pki_rsa_ocsp_sg HTTP -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB YES -CMP NO -monConnectionClose FIN
add serviceGroup pki_static_content_sg HTTP -maxClient 0 -maxReq 0 -cip ENABLED X-Forwarded-For -usip NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB YES -CMP NO -tcpProfileName nstcp_default_tcp_lan -monConnectionClose FIN
add serviceGroup pki_ecdsa_ocsp_sg HTTP -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB YES -CMP NO -monConnectionClose FIN
add lb vserver pki_rsa_ocsp_lbvs HTTP 0.0.0.0 0 -persistenceType SOURCEIP -lbMethod ROUNDROBIN -backupLBMethod LEASTCONNECTION -cltTimeout 180
add lb vserver pki_static_content_http_lbvs HTTP 0.0.0.0 0 -persistenceType NONE -cltTimeout 180
add lb vserver pki_ecdsa_http_lbvs HTTP 0.0.0.0 0 -persistenceType NONE -lbMethod ROUNDROBIN -backupLBMethod LEASTCONNECTION -cltTimeout 180
add lb vserver error_response_lbvs HTTP 0.0.0.0 0 -persistenceType NONE -cltTimeout 180
add cs vserver rsa_ocsp_http_csvs HTTP 172.25.0.5 8082 -cltTimeout 180
add cs vserver ecdsa_ocsp_http_csvs HTTP 172.25.0.5 8081 -cltTimeout 180
add cs action rsa_ocsp_cs_act -targetLBVserver pki_rsa_ocsp_lbvs
add cs action pki_static_content_cs_act -targetLBVserver pki_static_content_http_lbvs
add cs action ecdsa_ocsp_cs_act -targetLBVserver pki_ecdsa_http_lbvs
add cs policy rsa_ocsp_cs_pol -rule "HTTP.REQ.IS_VALID && ((HTTP.REQ.METHOD.EQ(\"POST\") && HTTP.REQ.HEADER(\"Content-Type\").EQ(\"application/ocsp-request\")) || HTTP.REQ.METHOD.EQ(\"GET\"))" -action rsa_ocsp_cs_act
add cs policy pki_static_content_cs_pol -rule "HTTP.REQ.URL.CONTAINS_ANY(\"pki_static_content_allowed_paths\")" -action pki_static_content_cs_act
add cs policy ecdsa_ocsp_cs_pol -rule "HTTP.REQ.IS_VALID && ((HTTP.REQ.METHOD.EQ(\"POST\") && HTTP.REQ.HEADER(\"Content-Type\").EQ(\"application/ocsp-request\")) || HTTP.REQ.METHOD.EQ(\"GET\"))" -action ecdsa_ocsp_cs_act
add responder action 400_resp_act respondwith q{"HTTP/1.1 400 Bad Request" +"\r\n\r\n" }
add responder policy drop_nonexpected_static_content_traffic "HTTP.REQ.URL.CONTAINS_ANY(\"pki_static_content_allowed_paths\").NOT" DROP
add responder policy 400_resp_pol true 400_resp_act
bind lb vserver error_response_lbvs defaultgw
bind lb vserver pki_rsa_ocsp_lbvs pki_rsa_ocsp_sg
bind lb vserver pki_static_content_http_lbvs pki_static_content_sg
bind lb vserver pki_ecdsa_http_lbvs pki_ecdsa_ocsp_sg
bind lb vserver pki_static_content_http_lbvs -policyName drop_nonexpected_static_content_traffic -priority 100 -gotoPriorityExpression END -type REQUEST
bind lb vserver error_response_lbvs -policyName 400_resp_pol -priority 100 -gotoPriorityExpression END -type REQUEST
bind cs vserver rsa_ocsp_http_csvs -policyName pki_static_content_cs_pol -priority 100
bind cs vserver rsa_ocsp_http_csvs -policyName rsa_ocsp_cs_pol -priority 110
bind cs vserver rsa_ocsp_http_csvs -lbvserver error_response_lbvs
bind cs vserver ecdsa_ocsp_http_csvs -policyName pki_static_content_cs_pol -priority 100
bind cs vserver ecdsa_ocsp_http_csvs -policyName ecdsa_ocsp_cs_pol -priority 110
bind cs vserver ecdsa_ocsp_http_csvs -lbvserver error_response_lbvs
bind serviceGroup pki_rsa_ocsp_sg 172.25.0.20 2560
bind serviceGroup pki_ecdsa_ocsp_sg 172.25.0.21 2560
bind serviceGroup pki_static_content_sg 172.25.0.22 80
save config