Forum Discussion
jondyke_46152
Nimbostratus
NimbostratusAccess Control Based On IP for specific URL
I am pretty new to irules so any help here would be appeciated. The irule below is the deafult irule for Access control based on IP from the codeshare area. Is it possible to alter this so that it controls access for a specific URL under the virtual server rather than the whole virtual server? ie. http://www.joeblogs.com/restricted/
when RULE_INIT {
v1.0 - basic ACL.
October, 2007
Tested on BigIP version 9.4.
Purpose:
Bind this rule to a network virtual server to simply allow or disallow traffic based on source IP.
This rule expects a datagroup named trustedAddresses that lists the addresses you wish to allow.
By default, traffic will be dropped.
}
when CLIENT_ACCEPTED {
if { [matchclass [IP::client_addr] equals $::trustedAddresses] }{
Uncomment the line below to turn on logging.
log local0. "Valid client IP: [IP::client_addr] - forwarding traffic"
forward
} else {
Uncomment the line below to turn on logging.
log local0. "Invalid client IP: [IP::client_addr] - discarding"
discard
}
}
Andy_Herrman_22You could create another class that contains the URLs that you want to control access to, and then have the IF check the HTTP::uri against that class (similar to the check of the client addr against the trusted addresses) first. If that matches then check the client addr against the trusted list.
jondyke_46152Forgive my ignorance here but I am an irule virgin - would it look something like this?
I assume I would need to create datagroups for trustedaddresses and securedvirtualdirectories? What would these look like? I am guessing the trustedaddresses dsatagroup would be an address type group and the securedvirtualdirectories would need to be some sort of string?
}
when CLIENT_ACCEPTED {
if { [matchclass [IP::client_addr] equals $::trustedAddresses] }
{ [matchclass [HTTP::uri] equals $::securedvirtualdirectories]}{
Uncomment the line below to turn on logging.
log local0. "Valid client IP: [IP::client_addr] - forwarding traffic"
forward
} else {
Uncomment the line below to turn on logging.
log local0. "Invalid client IP: [IP::client_addr] - discarding"
discard
}
}- jondyke_46152Thanks
I have copied the text into an irule and created an address datagroup called trustedAddresses (and added the allowed IP)
Do I then need to create another datagroup for securedpaths? If so how do I do this with the code you supplied? - jondyke_46152Ok - i tried the rule above and created an address datagroup and string datagroup with the securepath info. Seems to scre up my site.... are we missing the foward bit of the rule?
- Andy_Herrman_22I don't believe the 'forward' command is necessary. If you don't reject it then the F5 should process it normally.
It looks like you have the rule backwards. I think you're discarding when you want to allow, and allowing when you want to discard.
The IF statement will trigger if someone who is NOT authorized tries to access the secure path. In this case you want to reject them. The ELSE case will hit whenever the user is authorized OR they are trying to access a non-secure part of the site.
The iRule I suggested didn't have the ELSE part there, so the rule you have is doing the opposite of the one I wrote. Try switching back to the one I had and see if it works. - jondyke_46152When I tried the irule that you have written above it seems to break my site (no page displayed) at the default level which is a bit odd.
- Andy_Herrman_22Can you try using this iRule and do a couple tests, then post the log messages you get? I added some logging and put the 'forward' command in, just in case I was wrong and it is needed.
when HTTP_REQUEST { if { ( [matchclass [HTTP::uri] starts_with $::securePaths] ) and ! ( [matchclass [IP::client_addr] equals $::trustedAddresses] ) } { log local0. "Untrusted IP ([IP::client_addr]) attempting to access secure path ([HTTP::uri])" discard } else { log local0. "Allowing connection from [IP::client_addr] to [HTTP::uri]" forward } } - Andy_Herrman_22Oh, and a quick suggestion. When posting your iRule code, use a code block to help keep the formatting.
[ code ]
CODE GOES HERE
[ /code ]
(remove the spaces from the tags. I had to put them there to get them to actually appear in the message instead of creating an actual code block) - jondyke_46152The following message is in the log:-
TCL error: irule_restrictedbyIP HTTP_REQUEST - cant read ::securePaths: no such variable while executing matchclass [HTTP::uri] starts_with $::securePaths - Andy_Herrman_22Sounds like the datagroup/class for the secure paths isn't defined. Does that error happen when using your own iRule code?