Allow Access to URL from Inside but Not From Internet

Oops, here is the code 🙂

 

 

 
when HTTP_REQUEST {
  switch -glob [string tolower [HTTP::path]] {
    "/proxyservice*" { 
      log local0. "[IP::client_addr]:[TCP::client_port]: Dropping request to [HTTP::uri]"
         HTTP::respond 200 content "Forbidden
        
        
        
        Website Error:  Forbidden
        Your information has been logged.
        "
    }
    default {
      pool www.domain.com_HTTP
    }
  }
}

e.g.

[root@ve10:Active] config  b virtual bar list
virtual bar {
   snat automap
   pool foo
   destination 172.28.19.79:80
   ip protocol 6
   rules myrule
   profiles {
      http {}
      tcp {}
   }
}
[root@ve10:Active] config  b rule myrule list
rule myrule {
   when HTTP_REQUEST {
   if { [HTTP::uri] starts_with "/proxyservice" } {
      if { not ([IP::addr [IP::client_addr] equals 10.16.0.0/16]) } {
         log local0. "[IP::client_addr]:[TCP::client_port]: Dropping request to [HTTP::uri]"
         HTTP::respond 200 content "Forbidden
        
        
        
        Website Error:  Forbidden
        Your information has been logged.
        "
      }
   }
}
}

[root@ve10:Active] config  tail -f /var/log/ltm
Oct 23 12:53:53 local/tmm info tmm[7926]: Rule myrule : 172.28.20.11:58988: Dropping request to /proxyservice/something

They don't seem to be popular but have you considered a packet filter? You won't be able to send a response to denied clients but in this case it would be far more efficient and minimise your exposure to DDoS attacks. Alternatively, if your internal and Internet clients connect via different VLANs, you could remove the VS from the 'public' VLAN.

Thanks for the info guys. The change to the iRule works as expected.

 

 

It's funny, after I posted this up I did think of doing IP filtering which would be a little easier and more efficient to implement in this case.

 

 

Thanks for the help!