allow access to URL by specific IP range - all others rejected

Question

For a specific URL I need to allow access to URL only to our internal IP range, all other IP addresses need to be rejected.&nbsp;
&nbsp;Something along these lines, but clearly this is not correct.  Can anyone help?&nbsp;
&nbsp;when HTTP_REQUEST {
&nbsp;     {[HTTP::uri] "special_file"}
&nbsp;{ [IP::addr [IP::remote_addr] equals 72.xxx.xxx.0/72.xxx.xxx.26 ] } {
&nbsp;     reject
&nbsp; }
&nbsp;}&nbsp;

michael_yates · Answer

Sorry...I had to edit my first post and the format is never the same after an edit: 
  
 Go into your LTM under iRules -&gt; Data Group List 
  
 Create -&gt;  Name it -&gt; Type Address 
  
 Add the IP Addresses (or configure the Network Range) that you want to allow (Then replace the "PoolOfAllowedAddresses" with the name of the group you created).

when HTTP_REQUEST {
if { [HTTP::host] equals "www.website.com" and ([matchclass [IP::remote_addr] equals $::PoolOfAllowedAddresses ]) } {
pool poolofallowedservers
}
else {
reject
}
}

This is designed to Accept anything in the Data Group and Reject everything else.

winifred_corbet · Answer

excellent.  I will give it a try.  Thanks.&nbsp;

winifred_corbet · Answer

Another question: 
&nbsp; I need to specify if a 'specific" URL is hit and they are *not* coming from the IP range called out in 'Data group List" I need to reject them. 
&nbsp;  
&nbsp; So, 
&nbsp; If "a Specific Full URL" and *not* coming from "data Group List" --- reject them

michael_yates · Answer

If you need to be extremely specific you can have it check the URI as well.

when HTTP_REQUEST {
    if { [HTTP::host] equals "www.website.com" and [HTTP::uri] equals "/somethingspecific/index.html" and [matchclass [IP::remote_addr] equals $::PoolOfAllowedAddresses ]) } {
        pool poolofallowedservers
    }
    else {
        reject
    }
}

If you want exclusive over inclusive you can make a few modifications: 
 
when HTTP_REQUEST {
    if { [HTTP::host] equals "www.website.com" and [HTTP::uri] equals "/somethingspecific/index.html" and !([matchclass [IP::remote_addr] equals $::PoolOfAllowedAddresses ]) } {
        reject
    }
    else {
        pool poolofallowedservers
    }
}

michael_yates_6 · Answer

If you need to be extremely specific you can have it check the URI as well.

when HTTP_REQUEST {
    if { [HTTP::host] equals "www.website.com" and [HTTP::uri] equals "/somethingspecific/index.html" and [matchclass [IP::remote_addr] equals $::PoolOfAllowedAddresses ]) } {
        pool poolofallowedservers
    }
    else {
        reject
    }
}

If you want exclusive over inclusive you can make a few modifications: 
 
when HTTP_REQUEST {
    if { [HTTP::host] equals "www.website.com" and [HTTP::uri] equals "/somethingspecific/index.html" and !([matchclass [IP::remote_addr] equals $::PoolOfAllowedAddresses ]) } {
        reject
    }
    else {
        pool poolofallowedservers
    }
}

Forum Discussion

allow access to URL by specific IP range - all others rejected

Recent Discussions

Application only need to access from 2 uris

In Radius auth, how to allow second attempt of token input when the first input is incorrect?

AS3 Limitations

Unable to install firmware OS and drop at 10%

Statistics ›› Analytics : HTTP : Overview

Related Content

Deny access to F5 management from specific addresses

IRule for Exact resource access rejection

Federated AWS Console Access Made Easy: F5 BIG-IP Access Policy Manager Access Guided Configurations

iRule command to allow IP range to access specific URL

Access Troubleshooting: BIG-IP APM OIDC integration

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS