Forum Discussion
NimbostratusAccess rule to deny IP based of URI called
We have moved some IIS servers to be hosted behind some LTM 1600's. They are doing SSL offload and all is working.
However before the F5's were used the IIS servers had some IP restrictions to certain parts of the website for web management portal to prevent unwanted people of accessing. However now the IIS servers are behind the F5's they only ever see the F5's self IP connect to them.
Is there a way using a iRule of an access lists so that if someone called a specific URI it is limited by an access list?
3 Replies
What_Lies_Bene1Cirrostratus
Hey. Yes, that's possible, however, I wonder if removing the SNAT you obviously have in place is possible as I feel that would be a better solution.
- nitass
Employee
Is there a way using a iRule of an access lists so that if someone called a specific URI it is limited by an access list?
you can make it by using HTTP::uri, data group and class match. it is same concept as the following thread.
Access control for specific url
https://devcentral.f5.com/questions/access-control-for-specific-url - Kevin_Stewart
If I may add, I think WLB's initial notion would be the most sound. If you remove the SNAT profile then the servers see the client's true source and you're back to where you started. Of course to make that work you have to force return routing in another way, usually by making the F5 self-IP the default route for the servers. In lieu of that, I would be cautious using the F5 as an authorization platform. While it is entirely possible, and quite easy to do so, you might eventually find yourself managing very complex authz rulesets, and in multiple places. I think if you're going to do anything, and you cannot turn off SNAT, I'd recommend simply passing an X-Forwarded-For header and add some code to your application to read this HTTP header (instead of the source address).
