Forum Discussion
NimbostratusAllow a specific resource's access based on source IP addresse's
Hello, I have a need to create an iRule for a url with 2 endpoints.
endpoint1 = myCertCN/path1
endpoint2 = myCertCN/path2
I need to :
- expose endpoint1 to all IP's,
- expose endpoint2 to 3 IP sets, (10.10.10.10, 11.11.11.56/29, 12.12.12.208/29)
Is below syntax correct?
when HTTP_REQUEST {
set httpUri [HTTP::uri]
set clientIp [class match -value [IP::client_addr] equals allowed_ip_addresses]
if { $httpUri starts_with "/path2" && $clientIp not equals "10.10.10.10" } {
drop
} else if { $httpUri starts_with "/path2" && $clientIp not equals "11.11.11.56/29" } {
drop
} else if { $httpUri starts_with "/path2" && $clientIp not equals "12.12.12.208/29" } {
drop
} else {
pool
}
}
In above example pool points to ip:port of myCertCN.
Andy_McGrathCumulonimbus
Setup a data group with type IP Addresses and add the allowed IP address subnets to it, name it ‘allowed_ip_addresses’ and the following iRule should do the job.
when HTTP_REQUEST { set httpUri [string tolower [HTTP::uri]] set clientIp [getfield [IP::client_addr] “%” 1] check uri path and cline tip is not in the allowed list if {($httpUri starts_with "/path2") && !([class match $clientIp allowed_ip_addresses])} { drop or reject to end the connection drop } }