Forum Discussion

wojo_99069's avatar
wojo_99069
Icon for Nimbostratus rankNimbostratus
Feb 07, 2011

Access control for specific url

All,

 

 

 

I am trying to limit access to a certain url for our company using a iRule, basically all access to api.example.com will need to be open but access to api.example.com/tools will need to be restricted to private networks only. I came up with the iRule with a data group below but it seems to block all access.

 

 

 

when HTTP_REQUEST {

 

if { ([HTTP::uri] starts_with "/tools") and ([matchclass [IP::remote_addr] equals $$private_net]) }

 

{ pool api.example.com-443 } else { reject } }

 

 

class private_net {

 

{

 

network 10.0.0.0/8

 

network 172.16.0.0/12

 

network 192.168.0.0/16

 

}

 

 

 

Any thoughts or suggestions ?

 

 

Thanks.

 

 

 

 

 

 

 

 

 

 

 

 

 

  • Hi Wojo,

     

     

    On 9.4.4 or higher, remove the prefix from the private_net datagroup reference so it's just private_net. For 9.4.3 and lower, you can use $::private_net.

     

     

    http://devcentral.f5.com/wiki/default.aspx/iRules/CMPCompatibility.html

     

     

    Aaron
  • Thanks for the tip, we are running 10.1.0 on that F5.

     

    Would that actually cause my problem of all the access being denied while using $::private_net instead of just private_net ?
  • Also, it looks like I missed a logic problem. Can you try this? It assumes you want all requests to go to the virtual server's default pool, except those to /tools that don't come from an internal IP address range.

    
    when HTTP_REQUEST {
    
       if { [HTTP::uri] starts_with "/tools" }{
          if { not [matchclass [IP::remote_addr] equals private_net] } { 
             reject
          }
       }
    }
    

    Aaron