Access to VIP by irule for matching a header value OR allowing ips using data-group

Question

Hi experts, we have a requirement in writing an irule that only allows access to the VS when it matches a certain hexa-decimal value in the http_header, example value ='3196E8D30330CA17238FAS013036'.
At the same time it should be only allowing IPs from a whitelist datagroup. If it is NOT matching either of these conditions, the connection needs to be dropped. (So it`a a OR for both the conditions)
Please advise??&nbsp;

dej · Answer

Hello,&nbsp;Depending on your VIP preference. The below irule will drop the traffic if neither value matches. If there is a match it will go to the default pool assigned to the VIP. If you need both values to match change or to and.&nbsp;when HTTP_REQUEST {
    Check if http_header contains hex code or the client IP is not in the allow list
    if { !(([HTTP::header "name_of_header"] equals "3196E8D30330CA17238FAS013036") or ([class match [IP::client_addr] equals WHITELIST]))} {
    if neither value matches drop traffic
       drop
    }
}

sandy16 · Answer

thanks, so I have done this (added the pool default and else for drop) but it gives me some errors in the GUI - &nbsp;
when HTTP_REQUEST {
    Check if http_header contains hex code or the client IP is not in the allow list
    if { !([HTTP::header "name_of_header"] equals "3196E8D30330CA17238FAS013036" or [class match [IP::client_addr] equals WHITELIST])} {
    pool default
    else {
    if neither value matches drop traffic
       drop
    }
}&nbsp;

dej · Answer

Hello S,  
I've updated the iRule a bit.  My apologies but I'm pretty much free-handing this iRule (left my laptop at work).  A few questions.  
1. What header will contain the hex value you are matching against?
2. Have you already created the datagroup you will be using in this iRule?
3. Try the edited code in my original reply.  If you still get a GUI error, please post the error.

sandy16 · Answer

ok, the error i get is: [invalid option "else" must be: member][else]
what am i doing wrong?&nbsp;

dej · Answer

Looking at the iRule you pasted in it looks like there may be a close bracket missing in front of else
} else

Forum Discussion

Access to VIP by irule for matching a header value OR allowing ips using data-group

6 Replies

F5 Container Ingress Services (CIS) and using k8s traffic policies to send traffic directly to pods

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

sslprovide (--f5 ssl) does not generate CLIENT/SERVER_TRAFFIC_SECRET on server-side TLS traffic

Issue with IIS and Client Component Service Load balancing

Syslog Filter Configuration for Separating Audit and LTM logs.

Use F5 APM as Forward Proxy

Forward proxy with SSL passthrough - SWG license required?

Related Content

Intermediate iRules: Data-Groups

v11: iRules Data Group Updates

External Data Group Import Failing.

Class match with starts_with - Data group matching order

iRules Data Group Formatting Rules

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS