Forum Discussion
wojo_99069
Nimbostratus
NimbostratusAccess control for specific url
All,
I am trying to limit access to a certain url for our company using a iRule, basically all access to api.example.com will need to be open but access to api.example.com/tools will need to be restricted to private networks only. I came up with the iRule with a data group below but it seems to block all access.
when HTTP_REQUEST {
if { ([HTTP::uri] starts_with "/tools") and ([matchclass [IP::remote_addr] equals $$private_net]) }
{ pool api.example.com-443 } else { reject } }
class private_net {
{
network 10.0.0.0/8
network 172.16.0.0/12
network 192.168.0.0/16
}
Any thoughts or suggestions ?
Thanks.
3 Replies
hoolioCirrostratus
Hi Wojo,
On 9.4.4 or higher, remove the prefix from the private_net datagroup reference so it's just private_net. For 9.4.3 and lower, you can use $::private_net.
http://devcentral.f5.com/wiki/default.aspx/iRules/CMPCompatibility.html
Aaron- wojo_99069Thanks for the tip, we are running 10.1.0 on that F5.
Would that actually cause my problem of all the access being denied while using $::private_net instead of just private_net ? - hoolioAlso, it looks like I missed a logic problem. Can you try this? It assumes you want all requests to go to the virtual server's default pool, except those to /tools that don't come from an internal IP address range.
when HTTP_REQUEST { if { [HTTP::uri] starts_with "/tools" }{ if { not [matchclass [IP::remote_addr] equals private_net] } { reject } } }
Aaron
