Forum Discussion

Emad's avatar
Emad
Icon for Cirrostratus rankCirrostratus
Nov 26, 2013

Allow specific URI from specific IP's in data group

I have data group class which contains IP Address of my network, i have to restrict some URI's to be access only from my network. i am using this Irule but it is not working for me , earlier i was able to put instruction on basis of FQDN and IP but its not working for uri and client address.

 

Second Part of Irule is working which rejects requests which for www.example.com and not from my Ip address. Example URL:www.example.com URI: /abc/db, /abc/cd, Ip Class Name: myAddresses

 

IRULE:

 

when HTTP_REQUEST {

 

This Part is not working as it rejects all request for URI

if {[HTTP::uri] eq "/abc/db" or [HTTP::uri] eq "/abc/cd"} { if { [class match [IP::client_addr] equals myAddresses] } { forward } else { reject } }

 

This Part is working

switch [HTTP::host] { www.example.com { if { [class match [IP::client_addr] equals myAddresses] } { pool example_com } else { discard } } } }

 

application delivery
devops
iRules

5 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Nov 26, 2013

    The forward command isn't working the way you might think it is. Try this:

    when HTTP_REQUEST {
    if { ( [string tolower [HTTP::uri]] eq "/abc/db" ) or ( [string tolower [HTTP::uri]] eq "/abc/cd" ) } {         
        if { not ( [class match [IP::client_addr] equals myAddresses] ) } {           
            reject 
        }            
    }        
}
  • Stefan_Klotz's avatar
    Stefan_Klotz
    Icon for Cumulonimbus rankCumulonimbus
    Nov 26, 2013

    Hi,

    I didn't see any logical issue here, can you insert some log statements in each if-block, to verify if your request will be catched as expected.

    For the moment I see two possibilities:

    1. The URI isn't matching (maybe you can try "starts_with" or "contains")

    2. The clientIP isn't matching your entries of the DGL

    Please try this one:

    if { ([HTTP::uri] eq "/abc/db") or ([HTTP::uri] eq "/abc/cd") } {
        log local0. "URI matched: [HTTP::uri]"
        if { not [class match [IP::client_addr] equals myAddresses] } {
            log local0. "IP matched: [IP::client_addr]"
            reject
        }
    }

    Ciao Stefan 🙂

  • Emad's avatar
    Emad
    Icon for Cirrostratus rankCirrostratus
    Nov 26, 2013

    I have tried to log request but there is nothing being logged in it.

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Nov 27, 2013

    Add more logging:

    when HTTP_REQUEST {
    log local0. "Initial request: [HTTP::uri]"
    log local0. "Client IP: [IP::client_addr]"
    if { ( [string tolower [HTTP::uri]] eq "/abc/db" ) or ( [string tolower [HTTP::uri]] eq "/abc/cd" ) } {
        log local0. "Matched URI"         
        if { not ( [class match [IP::client_addr] equals myAddresses] ) } {
            log local0. "Didn't match IP allow list"           
            reject 
        }            
    }        
}