allow access to URL by specific IP range - all others rejected

Question

For a specific URL I need to allow access to URL only to our internal IP range, all other IP addresses need to be rejected.&nbsp;
&nbsp;Something along these lines, but clearly this is not correct.  Can anyone help?&nbsp;
&nbsp;when HTTP_REQUEST {
&nbsp;     {[HTTP::uri] "special_file"}
&nbsp;{ [IP::addr [IP::remote_addr] equals 72.xxx.xxx.0/72.xxx.xxx.26 ] } {
&nbsp;     reject
&nbsp; }
&nbsp;}&nbsp;

michael_yates · Answer

Sorry...I had to edit my first post and the format is never the same after an edit: 
  
 Go into your LTM under iRules -&gt; Data Group List 
  
 Create -&gt;  Name it -&gt; Type Address 
  
 Add the IP Addresses (or configure the Network Range) that you want to allow (Then replace the "PoolOfAllowedAddresses" with the name of the group you created).

when HTTP_REQUEST {
if { [HTTP::host] equals "www.website.com" and ([matchclass [IP::remote_addr] equals $::PoolOfAllowedAddresses ]) } {
pool poolofallowedservers
}
else {
reject
}
}

This is designed to Accept anything in the Data Group and Reject everything else.

winifred_corbet · Answer

excellent.  I will give it a try.  Thanks.&nbsp;

winifred_corbet · Answer

Another question: 
&nbsp; I need to specify if a 'specific" URL is hit and they are *not* coming from the IP range called out in 'Data group List" I need to reject them. 
&nbsp;  
&nbsp; So, 
&nbsp; If "a Specific Full URL" and *not* coming from "data Group List" --- reject them

michael_yates · Answer

If you need to be extremely specific you can have it check the URI as well.

when HTTP_REQUEST {
    if { [HTTP::host] equals "www.website.com" and [HTTP::uri] equals "/somethingspecific/index.html" and [matchclass [IP::remote_addr] equals $::PoolOfAllowedAddresses ]) } {
        pool poolofallowedservers
    }
    else {
        reject
    }
}

If you want exclusive over inclusive you can make a few modifications: 
 
when HTTP_REQUEST {
    if { [HTTP::host] equals "www.website.com" and [HTTP::uri] equals "/somethingspecific/index.html" and !([matchclass [IP::remote_addr] equals $::PoolOfAllowedAddresses ]) } {
        reject
    }
    else {
        pool poolofallowedservers
    }
}

michael_yates_6 · Answer

If you need to be extremely specific you can have it check the URI as well.

when HTTP_REQUEST {
    if { [HTTP::host] equals "www.website.com" and [HTTP::uri] equals "/somethingspecific/index.html" and [matchclass [IP::remote_addr] equals $::PoolOfAllowedAddresses ]) } {
        pool poolofallowedservers
    }
    else {
        reject
    }
}

If you want exclusive over inclusive you can make a few modifications: 
 
when HTTP_REQUEST {
    if { [HTTP::host] equals "www.website.com" and [HTTP::uri] equals "/somethingspecific/index.html" and !([matchclass [IP::remote_addr] equals $::PoolOfAllowedAddresses ]) } {
        reject
    }
    else {
        pool poolofallowedservers
    }
}

Forum Discussion

allow access to URL by specific IP range - all others rejected

9 Replies

F5 Academy at AppWorld 2026

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

Connection Rest f5

Kubernetes cert-manager + LetsEncrypt + F5

The GSLB pool is providing an incorrect IP to end users

Unable to ping from some self ip on Velos

Not seeing the latest F5OS-A when running Journeys

Related Content

APM-Specific Features for Securing Your Website

Deny access to F5 management from specific addresses

IRule for Exact resource access rejection

Zero Trust Application Access for Federal Agencies

Federated AWS Console Access Made Easy: F5 BIG-IP Access Policy Manager Access Guided Configurations

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS