Forum Discussion

raytoles_75680's avatar
Icon for Nimbostratus rankNimbostratus
Jun 25, 2009

Access control iRule

We've written an irule to deny access to a few uri(s). iRules if fairly new to us and we want to make sure we're writing our iRule in the most efficiently way possible. Based on the client ip/network (internal network users require access) and the uri we want to protect a list of uri(s). We've created two data group lists, allowed_admin_datagroup and denied_admin_datagroup. The allowed list includes the list of network subnets we want to allow access. The denied list includes a list of uri(s) we want to protect.

when HTTP_REQUEST {   
 if {not [matchclass [IP::client_addr] equals $::allowed_admin_datagroup]}{ 
 if {[matchclass [HTTP::uri] equals $::denied_admin_datagroup]}{ 
 HTTP::respond 200 content "Not AllowedYou are not allowed to access this site!" 
 log local0. "URI requested by [IP::client_addr] blocked.  URI requested = [HTTP::uri]" 

4 Replies

  • Is it working? If not, you might want to set the URI to lowercase, URI decode it and use contains instead of equals for matchclass.



  • The iRule works, we are just trying to make sure it would not cause performance problems as writing irules is very new to us.
  • If you expect it to be more common that a client would access a non-admin URI, you could reverse the order of the two if statements. This would make the iRule more efficient.



    That said, a blacklist for URI's is pretty easy to bypass. See this post for some examples:



    Irule for restriciting URL paths unsecure