Adding IP Filtering after pool selection and/or http redirect

Question

So I have a shared application URL VIP that I have configured.  Currently it is context based on ports 80/443.   So right now I am routing based on the URI of the request.  But now I have been tasked with adding security to a portion of that pathway and wide open down the other path.  So I am aware of how to do IP Filtering initially in iRules and use it routinely but not sure how to properly put filtering in after the pool has been selected.  I tried using a when LB_Selected but that failed.&nbsp;
&nbsp;Current Flow Requirements:
&nbsp;Path 1:  All traffic routed to http://sharedapps_VIP/qa/  or /b2b/qa
&nbsp;     A.  Redirect (in another iRule) to https://sharedapps_VIP/qa or b2b/qa 
&nbsp;     B.  The below rule then routes it to pool "sharedapps_1_qa_pool"
&nbsp;Path 2:  All traffic routed to http://sharedapps_VIP/sms/  or /b2b/services&nbsp;
     A.  Redirect (in another iRule) to https://sharedapps_VIP/sms/ or b2b/services &nbsp;
     B.  The below rule then routes it to pool "sharedapps_1_prod_pool"&nbsp;
Path 3:  All traffic routed to http://sharedapps_VIP/&nbsp;
     A.  Redirect (in another iRule) to https://sharedapps_VIP/&nbsp;
     B.  The below rule then routes it to pool "sharedapps_2_qa_pool"
&nbsp;     C.  Appends the weburi to end of request.&nbsp;
&nbsp;Current iRule:&nbsp;rule SharedApps_Web_Redirect {
&nbsp;   when HTTP_REQUEST {
&nbsp;    set host [HTTP::host]
&nbsp;    set uri [HTTP::uri]
&nbsp;   if { [HTTP::uri] starts_with "/qa"  or [HTTP::uri] starts_with "/b2b/qa/" } {
&nbsp;          log local0. "chosen pool is QA Pool"
&nbsp;          pool sharedapps_1_qa_pool
&nbsp;     } elseif { [HTTP::uri] starts_with "/sms"  or [HTTP::uri] starts_with "/b2b/services"  } {
&nbsp;          log local0. "chosen pool PROD Pool"
&nbsp;          pool  sharedapps_1_prod_pool
&nbsp;     } elseif { [HTTP::uri] equals "/" } {
&nbsp;      set weburi "/web/loginreg/loginStart.do"
&nbsp;         HTTP::redirect "https://$host$weburi"
&nbsp;          pool  sharedapps_2_Prod_Pool
&nbsp;     } else {
&nbsp;        pool sharedapps_2_Prod_Pool
&nbsp;      }
&nbsp;}
&nbsp;}&nbsp;&nbsp;
&nbsp;What is needed in new requirements:&nbsp;
&nbsp;Current Flow Requirements:
&nbsp;Path 1:  Restrict traffic routed to http://sharedapps_VIP/qa/  or /b2b/qa
&nbsp;     A.  Redirect (in another iRule) to https://sharedapps_VIP/qa or b2b/qa 
&nbsp;     B.  The below rule then routes it to pool "sharedapps_1_qa_pool"
&nbsp;Path 2:  Restrict traffic routed to http://sharedapps_VIP/sms/  or /b2b/services&nbsp;
     A.  Redirect (in another iRule) to https://sharedapps_VIP/sms/ or b2b/services &nbsp;
     B.  The below rule then routes it to pool "sharedapps_1_prod_pool"&nbsp;
Path 3:  All traffic routed to http://sharedapps_VIP/&nbsp;
     A.  Redirect (in another iRule) to https://sharedapps_VIP/&nbsp;
     B.  The below rule then routes it to pool "sharedapps_2_qa_pool"&nbsp;
     C.  Appends the weburi to end of request.&nbsp;&nbsp;
&nbsp;So you can see I am at an impasse and I have used Google and looked over devcentral.  I know it is something easy that I am missing but I thought I would reach out for some assistance.  If I left anything out I apologize and will provide it to assist in any help.&nbsp;
&nbsp;Thanks in Advance.&nbsp;

hoolio · Answer

Hi Scott, 
&nbsp;  
&nbsp; I'm not sure I clearly understand your updated requirements.  What IP filtering logic do you want to implement?  Do you want to check the source IP address/subnet or the pool member IP address/subnet?  Under which case(s) do you want to perform this check? 
&nbsp;  
&nbsp; Also, your existing rule is issuing a redirect and selecting a pool for requests to /.  I think the redirect would take precedence over the pool selection.  You could remove which either action you don't need done in that scenario. 
&nbsp;  
&nbsp; Lastly, you might find a switch statement as a cleaner way to implement the URI checking.  Here is a link to the switch wiki page: 
&nbsp;  
&nbsp; http://devcentral.f5.com/wiki/default.aspx/iRules/switch 
&nbsp;  
&nbsp; Aaron

scottg_82592 · Answer

Thx Aaron, 
&nbsp;  
&nbsp; Basically I have to restrict traffic to sharedapps1 path but not restrict traffic to the sharedapps2 path.  So I have to allow all traffic to one but restrict all unauthorized traffic to the other.

hoolio · Answer

When you say restrict, do you mean check the client IP to see if it's valid?  If so, you can use class match (v10) or matchclass (v9) to check the client IP against an IP address/subnet datagroup of whitelisted addresses.  You could send an HTTP response with HTTP::respond, reset the TCP connection with the reject command or drop any subsequent packets on the connection using drop.   
&nbsp;  
&nbsp; If that's not what you're aiming for, can you you clarify the scenario? 
&nbsp;  
&nbsp; Thanks, Aaron

Forum Discussion

Adding IP Filtering after pool selection and/or http redirect

Recent Discussions

VS FORWARDING & ROUTE

Diameter iRules attachment?

Source IP F5 DNS Zone Forwarder

F5 BIG-IP

BIG-IP Oauth Client and AS

Related Content

(HTTP) Redirection via Arbitrary Host Header

Selective SNAT

Anchor Link Redirect

GTM Selective Persistence

Selective Client Cert Authentication

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS