For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

pgsmith_120398's avatar
pgsmith_120398
Icon for Altostratus rankAltostratus
Jul 30, 2014

Access control to URI based on IP using datagroups

I am attempting to perform access control to a specific URI based on IP address. We would like to permit all internal traffic to anything on the host but would like to restrict a vendors public IP ad...
application delivery
devops
iRules
pgsmith_120398's avatar
pgsmith_120398
Icon for Altostratus rankAltostratus
Jul 30, 2014

i have written this and it appears to be working. Ill test with a vendor sometime and update its success.

when HTTP_REQUEST {
    Check if client IP address matches the internal IP ranges, if so do nothing
   if { [class match [IP::client_addr] equals internal-access-dg]}{
    If the client IP is not in an internal IP range, check to see if the URI being accessed is secured.
   } elseif { [class match [string tolower [HTTP::uri]] starts_with external-access-dg]} {
      if the URI being accessed is secured set the variable hostvar to the value that associated with the URI name
     set hostvar [class match -value [string tolower [HTTP::uri]] starts_with external-access-dg]
      If the client IP matches the value associated with the URI name do nothing
     if { [IP::client_addr] eq $hostvar} {
      If the URI is protected and traffic is coming from an un-trusted IP reject the traffic
     } else {
     reject
     }
   }
}

Any opinions on this or re-workings would be welcome!