For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

RobS's avatar
RobS
Icon for Altostratus rankAltostratus
Jun 11, 2008

ACL for sub-website?

I'm pretty weak with iRules so I was wondering if anyone has an idea on how to accomplish the following:

 

 

I need an iRule that checks for users destined for a subsite on our URL and then filtering through an ACL. I think this would be accomplished by first using:

 

 

when HTTP_REQUEST {

 

switch -regexp [string tolower [HTTP::uri] ] {

 

^/xxx

 

 

After determining users are destined to this subsite I need to apply the ACL and only allow those I specified in a Data Group List. I saw the sample for the ACL, but I having difficulty figuring out how I would tie the whole thing together. Any help greatly appreciated.

 

 

Thanks!
application delivery
dev
devops
iRules

5 Replies

  • The_Bhattman's avatar
    The_Bhattman
    Icon for Nimbostratus rankNimbostratus
    Jun 11, 2008
    I haven't tested this but I think it might the logic you are looking for. 

      
  class subsite {     
  "/foo"     
  "/foobar"     
  "/feefifoo"  
  }  
    
  class allow {     
  "192.168.1.1"     
  "192.168.1.3"     
  "192.168.1.4"  
  }  
    
  when HTTP_REQUEST {  
       if { not ([matchclass [IP::client_addr] equals $::allow] && [matchclass [string tolower [HTTP::uri]] starts_with $::subsite]) } {   
       } else {  
         reject  
       }  
  }

    or 

      
    
  class allow {     
  "192.168.1.1"     
  "192.168.1.3"     
  "192.168.1.4"  
  }  
    
  when HTTP_REQUEST {  
       switch -regex [HTTP::uri] {  
      "^XXX" {  
             if { not ([matchclass [IP::client_addr] equals $::allow]) }  
             } else {  
              reject  
             }  
       }  
  }

    hope this helps

    CB

  • Deb_Allen_18's avatar
    Deb_Allen_18
    Historic F5 Account
    Jun 11, 2008
    you'd want to be sure the class you create is of type "Address" for the IP::addr comparison to work as expected.

    The resulting class would look more like this: 

     
 class myIPs { 
   host 10.10.1.1 
   network 192.168.1.1 255.255.255.0 
 }

    There are at least a couple of good ACL examples in the codeshare:

    Click here

    Click here

    /deb
  • Deb_Allen_18's avatar
    Deb_Allen_18
    Historic F5 Account
    Jun 11, 2008
    oh, and cmbhatt's first example for the additional URI comparison is preferred -- avoid regex wherever possible.

     

     

    /deb
  • RobS's avatar
    RobS
    Icon for Altostratus rankAltostratus
    Jun 17, 2008
    CB & Deb,

     

     

    Thanks for your help on this one. We got it working just the way we want by slightly altering the example you provided:

     

     

    class subsite {

     

    "/foo"

     

    "/foobar"

     

    "/feefifoo"

     

    }

     

     

    class allow {

     

    "192.168.1.1"

     

    "192.168.1.3"

     

    "192.168.1.4"

     

    }

     

     

    when HTTP_REQUEST {

     

    if { not [matchclass [IP::client_addr] equals $:: allow] && [matchclass [string tolower [HTTP::uri]] contains $:: subsite] } {

     

    discard

     

    } else {

     

    }

     

    }

     

     

    Thanks,

     

    Rob
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jun 17, 2008
    As Deb suggested before, you'd actually want to define the class as a type of 'address' to avoid doing a string comparison against the client IP address. This also allows you to define networks instead of individual hosts.

    The bigip.conf entry should look like: 

     
 class myIPs {  
    host 10.10.1.1  
    network 192.168.1.1 255.255.255.0  
 }

    And make sure you don't have a space in the class references. They should be $::allow and $::subsite.

    Aaron