Forum Discussion
jondyke_46152
Nimbostratus
NimbostratusAccess Control Based On IP for specific URL
I am pretty new to irules so any help here would be appeciated. The irule below is the deafult irule for Access control based on IP from the codeshare area. Is it possible to alter this so that it controls access for a specific URL under the virtual server rather than the whole virtual server? ie. http://www.joeblogs.com/restricted/
when RULE_INIT {
v1.0 - basic ACL.
October, 2007
Tested on BigIP version 9.4.
Purpose:
Bind this rule to a network virtual server to simply allow or disallow traffic based on source IP.
This rule expects a datagroup named trustedAddresses that lists the addresses you wish to allow.
By default, traffic will be dropped.
}
when CLIENT_ACCEPTED {
if { [matchclass [IP::client_addr] equals $::trustedAddresses] }{
Uncomment the line below to turn on logging.
log local0. "Valid client IP: [IP::client_addr] - forwarding traffic"
forward
} else {
Uncomment the line below to turn on logging.
log local0. "Invalid client IP: [IP::client_addr] - discarding"
discard
}
}
24 Replies
jondyke_46152Sorry for the slow responses, I am going to need to setup a dummy site to try this on as trying to work to SLA's on an internal RND site is proving to be tricky.
I will get back to you with some logs as soon as I have done this.- jondyke_46152Ok - I have now setup a new webiste for testing puposes. It is a simple site with one pool and pool member and a vs (on port 80)
I have a default.htm in the root folder and a restricted.htm in the restricted folder. Its all on the same subnet so Automap is set for SNAT on the VS. Everything else is default...
Without the irule I can get to the root site and the restricted url path in IE no problem. With the irule applied I can no longer get to the root site, let alone the restricted url. My settings are as follows:-
Irule:-
[ code ]
when HTTP_REQUEST {
if { ( [matchclass [HTTP::uri] starts_with $::securePaths] ) and
! ( [matchclass [IP::client_addr] equals $::trustedAddresses] ) }
{
log local0. "Untrusted IP ([IP::client_addr]) attempting to access secure path ([HTTP::uri])"
discard
} else {
log local0. "Allowing connection from [IP::client_addr] to [HTTP::uri]"
forward
}
}
[ /code ]
Data Groups:-
General Properties
Name trustedAddresses
Partition Common
Type Address
Address Records 192.168.3.14 (my workstation IP address)
General Properties
Name securePaths
Partition Common
Type String
String Records /restricted/
Local Traffic Log:-
Rule irule_restrictedbyIP HTTP_REQUEST: Allowing connection from 192.168.3.14 to /
Any other suggestions? Any other logging I can switch on or look at? As soon as I remove the irule it is all fine again......
Thanks,
Jon 
hoolioCirrostratus
The forward command (Click here) will mean LTM doesn't use the pool or translate the destination IP address. It isn't appropriate if you want to use a pool. If you remove the forward command it should work fine:when HTTP_REQUEST { if {([matchclass [HTTP::uri] starts_with $::securePaths]) and not ([matchclass [IP::client_addr] equals $::trustedAddresses])}{ log local0. "Untrusted IP ([IP::client_addr]) attempting to access secure path ([HTTP::uri])" discard } else { log local0. "Allowing connection from [IP::client_addr] to [HTTP::uri]" } }
Aaron- jondyke_46152Spot on - this one works a treat.....
Thanks a lot chaps for your help on this.
