Forum Discussion
raytoles_75680
Nimbostratus
NimbostratusAccess control iRule
We've written an irule to deny access to a few uri(s). iRules if fairly new to us and we want to make sure we're writing our iRule in the most efficiently way possible. Based on the client ip/network (internal network users require access) and the uri we want to protect a list of uri(s). We've created two data group lists, allowed_admin_datagroup and denied_admin_datagroup. The allowed list includes the list of network subnets we want to allow access. The denied list includes a list of uri(s) we want to protect.
when HTTP_REQUEST {
if {not [matchclass [IP::client_addr] equals $::allowed_admin_datagroup]}{
if {[matchclass [HTTP::uri] equals $::denied_admin_datagroup]}{
HTTP::respond 200 content "Not AllowedYou are not allowed to access this site!"
log local0. "URI requested by [IP::client_addr] blocked. URI requested = [HTTP::uri]"
}
}
}4 Replies
hoolioCirrostratus
Is it working? If not, you might want to set the URI to lowercase, URI decode it and use contains instead of equals for matchclass.
Aaron
raytoles_75680The iRule works, we are just trying to make sure it would not cause performance problems as writing irules is very new to us.- hoolioIf you expect it to be more common that a client would access a non-admin URI, you could reverse the order of the two if statements. This would make the iRule more efficient.
That said, a blacklist for URI's is pretty easy to bypass. See this post for some examples:
Irule for restriciting URL paths unsecure
http://devcentral.f5.com/Default.aspx?tabid=53&view=topic&postid=30900
Aaron - raytoles_75680Thank You! The post referenced is great!
