Forum Discussion

RobS's avatar
RobS
Icon for Altostratus rankAltostratus
Jun 11, 2008

ACL for sub-website?

I'm pretty weak with iRules so I was wondering if anyone has an idea on how to accomplish the following:

 

 

I need an iRule that checks for users destined for a subsite on our URL and then filtering through an ACL. I think this would be accomplished by first using:

 

 

when HTTP_REQUEST {

 

switch -regexp [string tolower [HTTP::uri] ] {

 

^/xxx

 

 

After determining users are destined to this subsite I need to apply the ACL and only allow those I specified in a Data Group List. I saw the sample for the ACL, but I having difficulty figuring out how I would tie the whole thing together. Any help greatly appreciated.

 

 

Thanks!
application delivery
dev
devops
iRules
  • The_Bhattman's avatar
    The_Bhattman
    Icon for Nimbostratus rankNimbostratus
    Jun 11, 2008
    I haven't tested this but I think it might the logic you are looking for. 

      
  class subsite {     
  "/foo"     
  "/foobar"     
  "/feefifoo"  
  }  
    
  class allow {     
  "192.168.1.1"     
  "192.168.1.3"     
  "192.168.1.4"  
  }  
    
  when HTTP_REQUEST {  
       if { not ([matchclass [IP::client_addr] equals $::allow] && [matchclass [string tolower [HTTP::uri]] starts_with $::subsite]) } {   
       } else {  
         reject  
       }  
  }

    or 

      
    
  class allow {     
  "192.168.1.1"     
  "192.168.1.3"     
  "192.168.1.4"  
  }  
    
  when HTTP_REQUEST {  
       switch -regex [HTTP::uri] {  
      "^XXX" {  
             if { not ([matchclass [IP::client_addr] equals $::allow]) }  
             } else {  
              reject  
             }  
       }  
  }

    hope this helps

    CB

  • Deb_Allen_18's avatar
    Deb_Allen_18
    Historic F5 Account
    Jun 11, 2008
    you'd want to be sure the class you create is of type "Address" for the IP::addr comparison to work as expected.

    The resulting class would look more like this: 

     
 class myIPs { 
   host 10.10.1.1 
   network 192.168.1.1 255.255.255.0 
 }

    There are at least a couple of good ACL examples in the codeshare:

    Click here

    Click here

    /deb
  • Deb_Allen_18's avatar
    Deb_Allen_18
    Historic F5 Account
    Jun 11, 2008
    oh, and cmbhatt's first example for the additional URI comparison is preferred -- avoid regex wherever possible.

     

     

    /deb
  • RobS's avatar
    RobS
    Icon for Altostratus rankAltostratus
    Jun 17, 2008
    CB & Deb,

     

     

    Thanks for your help on this one. We got it working just the way we want by slightly altering the example you provided:

     

     

    class subsite {

     

    "/foo"

     

    "/foobar"

     

    "/feefifoo"

     

    }

     

     

    class allow {

     

    "192.168.1.1"

     

    "192.168.1.3"

     

    "192.168.1.4"

     

    }

     

     

    when HTTP_REQUEST {

     

    if { not [matchclass [IP::client_addr] equals $:: allow] && [matchclass [string tolower [HTTP::uri]] contains $:: subsite] } {

     

    discard

     

    } else {

     

    }

     

    }

     

     

    Thanks,

     

    Rob
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jun 17, 2008
    As Deb suggested before, you'd actually want to define the class as a type of 'address' to avoid doing a string comparison against the client IP address. This also allows you to define networks instead of individual hosts.

    The bigip.conf entry should look like: 

     
 class myIPs {  
    host 10.10.1.1  
    network 192.168.1.1 255.255.255.0  
 }

    And make sure you don't have a space in the class references. They should be $::allow and $::subsite.

    Aaron