For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

pgsmith_120398's avatar
pgsmith_120398
Icon for Altostratus rankAltostratus
Jul 30, 2014

Access control to URI based on IP using datagroups

I am attempting to perform access control to a specific URI based on IP address. We would like to permit all internal traffic to anything on the host but would like to restrict a vendors public IP adress to only be able to access a single uri.

This works:

when HTTP_REQUEST {
   if { [matchclass [IP::client_addr] equals internal-access-dg]}{
   } elseif { [HTTP::uri] starts_with "/foo" and not ([IP::addr [IP::client_addr] equals 10.10.10.10/32])}{
     reject
   } else {
   }
}

We are anticipating having quite a few of these cloud vendors that will need to connect to specific URIs as new applications are developed. I would like to simplify management down the road by creating a datagroup that contains the vendors IP(s) and their URI within the application to do a lookup of the URI then associate the paired IP address to permit access to the URI to only its matching IP address.

I have this built, i know its wrong but im stuck here

when HTTP_REQUEST {
   if { [matchclass [IP::client_addr] equals internal-access-dg]}{
   } elseif { [class match [string tolower [HTTP::uri]] starts_with external-access-dg] and not ([IP:addr [IP::client_addr] [class search -value external-access-dg starts_with [HTTP::uri]])}{
     reject
   } else {
   }
}

The external-access-dg datagroup is set up like: /foo:=10.10.10.10/32

Any help would be appreciated.

application delivery
devops
iRules

1 Reply

  • pgsmith_120398's avatar
    pgsmith_120398
    Icon for Altostratus rankAltostratus
    Jul 30, 2014

    i have written this and it appears to be working. Ill test with a vendor sometime and update its success.

    when HTTP_REQUEST {
    Check if client IP address matches the internal IP ranges, if so do nothing
   if { [class match [IP::client_addr] equals internal-access-dg]}{
    If the client IP is not in an internal IP range, check to see if the URI being accessed is secured.
   } elseif { [class match [string tolower [HTTP::uri]] starts_with external-access-dg]} {
      if the URI being accessed is secured set the variable hostvar to the value that associated with the URI name
     set hostvar [class match -value [string tolower [HTTP::uri]] starts_with external-access-dg]
      If the client IP matches the value associated with the URI name do nothing
     if { [IP::client_addr] eq $hostvar} {
      If the URI is protected and traffic is coming from an un-trusted IP reject the traffic
     } else {
     reject
     }
   }
}

    Any opinions on this or re-workings would be welcome!