Contents

HTTP redirect commands· 1

display http-redirect endpoint-denylist 1

http-redirect endpoint-denylist enable· 2

http-redirect https-port 3

http-redirect ssl-server-policy· 4

reset http-redirect endpoint-denylist 5

 

HTTP redirect commands

display http-redirect endpoint-denylist

Use display http-redirect endpoint-denylist to display endpoint denylist entries for HTTP redirect.

Syntax

In standalone mode:‌

display http-redirect endpoint-denylist [ interface interface-type interface-number ] [ ip ipv4-address | ipv6 ipv6-address | mac mac-address ] [ slot slot-number ]

In IRF mode:

display http-redirect endpoint-denylist [ interface interface-type interface-number ] [ ip ipv4-address | ipv6 ipv6-address | mac mac-address ] [ chassis chassis-number slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

interface interface-type interface-number: Specifies an interface by its interface type and interface number. If you do not specify an interface, this command displays endpoint denylist entries for all interfaces.

ip ipv4-address: Specifies an IPv4 address.

ipv6 ipv6-address: Specifies an IPv6 address.

mac mac-address: Specifies a MAC address.

slot slot-number: Specifies a card by its slot number. If you do not specify a card , this command displays the endpoint denylist entries for the active MPU. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays alarm information for the global active MPU. In IRF mode:‌

Usage guidelines

Use this command to view information about endpoint denylist entries for HTTP redirect, including the IP address or MAC address of a user and time when a denylist entry is added.

(In standalone mode.) ‌To identify whether an IP address or a MAC address is added to the endpoint denylist, you must specify the interface interface-type interface-number and slot slot-number options.

(In IRF mode.) To identify whether an IP address or a MAC address is added to the endpoint denylist, you must specify the interface interface-type interface-number and chassis chassis-number slot slot-number options.

If you do not specify any option, this command displays all endpoint denylist entries.

Examples

# Display all endpoint denylist entries when you specify an IP address as the unique identifier of an endpoint denylist entry.

<Sysname> display http-redirect endpoint-denylist

IP Address            Added at                  Interface         Module ID

192.168.100.101       2023-11-22 17:00:00 UTC   XGE3/0/1          0x61c0000

# Display all endpoint denylist entries when you specify an MAC address as the unique identifier of an endpoint denylist entry.

<Sysname> display http-redirect endpoint-denylist

MAC Address           Added at                  Interface         Module ID

00:0C:29:CA:E4:66     2023-11-22 18:00:00 UTC   XGE3/0/1          0x2230000

Table 1 Command output

Field	Description
IP Address	IP address of the endpoint denylist entry.
MAC Address	MAC address of the endpoint denylist entry.
Added at	Time when the endpoint denylist entry is added.
Interface	Name of the interface that adds the endpoint denylist entry.
Module ID	ID of the module that adds the endpoint denylist entry.

 

Related commands

reset http-redirect endpoint-denylist

http-redirect endpoint-denylist enable

Use http-redirect endpoint-denylist enable to enable the endpoint denylist feature for HTTP redirect.

Use undo http-redirect endpoint-denylist enable to disable the endpoint denylist feature for HTTP redirect.

Syntax

http-redirect endpoint-denylist enable [ packet packet-count ] [ period period ] [ aging-time aging-time ] [ ipbase | macbase ]

undo http-redirect endpoint-denylist enable

Default

The endpoint denylist feature is disabled for HTTP redirect.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

packet packet-count: Specifies the number of packets as the threshold for the system to add an endpoint denylist entry. The value range for the packet-count argument is 10 to 1200. The default is 1200.

period period: Specifies the statistics period for counting received HTTP redirect packets. The value range for the period argument is 10 to 60 in seconds. The default is 60.

aging-time aging-time: Specifies the aging timer for endpoint denylist entries, in the range of 60 to 86400 in seconds. The default is 3600.

ipbase: Specifies the IP address of an endpoint denylist entry as its unique identifier.

macbase: Specifies the MAC address of an endpoint denylist entry as its unique identifier.

Usage guidelines

Application scenarios

In portal authentication scenarios, the device redirects HTTP/HTTPS requests of users to the portal authentication page. When users frequently initiate HTTP/HTTPS requests and trigger redirection to the authentication page, the device processes many HTTP/HTTPS packets. This causes high CPU usage, which affects normal services. To avoid this issue, you can enable the endpoint denylist feature for HTTP redirect.

Operating mechanism

This feature enables the device to use the configured denylist parameters to uniquely identify endpoint entries by IP or MAC address and collect statistics on the received users' HTTP redirect packets. When the device detects that the number of HTTP redirect packets sent by a user reaches the threshold for adding an endpoint denylsit entry during the statistics period, the device will add the user's IP or MAC address to the endpoint denylist entry.

After a user's IP or MAC address is added to an endpoint denylist entry, the device stops redirecting HTTP packets from that user until the entry expires or the administrator removes the entry.

Restrictions and guidelines

After you enable this feature, if you edit the endpoint denylist parameters again, the device clears the existing endpoint denylist entries and restarts collecting statistics on users' HTTP redirect packets.

Examples

# Enable the endpoint denylist feature for HTTP redirect. Specify the threshold for adding endpoint denylist entries as 1000, the statistics period for counting HTTP redirect packets as 60 seconds, and the aging timer for endpoint denylist entries as 60 seconds. In addition, specify the MAC address as the unique identifier of an endpoint denylist entry.

<Sysname> system-view

[Sysname] http-redirect endpoint-denylist enable packet 1000 period 60 aging-time 60 macbase

Related commands

display http-redirect endpoint-denylist

http-redirect https-port

Use http-redirect https-port to specify the HTTPS redirect listening port number.

Use undo http-redirect https-port to restore the default.

Syntax

http-redirect https-port port-number

undo http-redirect https-port

Default

The HTTPS redirect listening port number is 6654.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

port-number: Specifies the TCP port number on which the HTTPS redirect service listens for HTTPS requests. The value range for the port number is 1 to 65535.

Usage guidelines

To avoid service unavailability caused by port conflict, do not specify a TCP port number used by a well-known protocol or used by any other service. To display TCP port numbers that have been used by services, use the display tcp command.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Specify 8888 as the HTTPS redirect listening port number.

<Sysname> system-view

[Sysname] http-redirect https-port 8888

http-redirect ssl-server-policy

Use http-redirect ssl-server-policy to associate an SSL server policy with the HTTPS redirect service.

Use undo http-redirect ssl-server-policy to restore the default.

Syntax

http-redirect ssl-server-policy policy-name

undo http-redirect ssl-server-policy

Default

No SSL server policy is associated with the HTTPS redirect service. The HTTPS redirect service uses a self-assigned certificate and the default SSL parameters.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

policy-name: Specifies an SSL server policy by its name, a case-insensitive string of 1 to 31 characters.

Usage guidelines

HTTPS redirect is unavailable if the associated SSL server policy does not exist. You can first associate a nonexistent SSL server policy with the HTTPS redirect service and then configure the SSL server policy.

If you change the SSL server policy associated with the HTTPS redirect service, the new policy takes effect immediately.

If you perform this task multiple times, the most recent configuration takes effect.

Examples

# Associate SSL server policy policy1 with the HTTPS redirect service.

<Sysname> system-view

[Sysname] http-redirect ssl-server-policy policy1

Related commands

ssl server-policy

reset http-redirect endpoint-denylist

Use reset http-redirect endpoint-denylist to delete endpoint denylist entries for HTTP redirect.

Syntax

reset http-redirect endpoint-denylist [ ip ipv4-address | ipv6 ipv6-address | mac mac-address ]

Views

User view

Predefined user roles

network-admin

mdc-admin

Parameters

ip ipv4-address: Specifies an IPv4 address.

ipv6 ipv6-address: Specifies an IPv6 address.

mac mac-address: Specifies a MAC address.

Usage guidelines

If you do not specify any option for this command, this command deletes all existing endpoint denylist entries.

Examples

# Delete all existing endpoint denylist entries for HTTP redirect.

<Sysname> reset http-redirect endpoint-denylist

Related commands

display http-redirect endpoint-denylist