For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Jonas_Isaksson_'s avatar
Jonas_Isaksson_
Icon for Nimbostratus rankNimbostratus
Apr 28, 2015

Allowed IP for "Host based virtual hosting".

Hi,

I have a small problem that i need a few pointers on the way to solve.

I have an VS that is 'Standard' and using the standard 'HTTP Profile'.

The VS has an iRule to determine the hostname that was hit, compare it to existing pools with a specific naming scheme.

If a pool exists it will use that pool else it will do an 'reject'.

when HTTP_REQUEST {
    set HOST [HTTP::host]
    if {[catch {pool "P_EXT_$HOST"}]} {
        reject
    } else {
        pool P_EXT_$HOST
    }
}

This works fine.

However, some of these i want to restrict access to so that the iRule (or something else) needs to verify that a specific IP or range of IP addresses are allowed to "hit" the pool. Since there are multiple possibilities here i cannot really understand how to write the logic behind it.

IE.

Y.A.COM can only be accessed by the range of 10.10.10.0/24

X.A.COM can only be accessed by the range of 10.10.11.0/24 & 10.10.12.0/24

I've read a few articles about how to put this inside the iRule but since the iRule doesn't contain the actual mapping i cannot see how this could work (the iRule used to contain an 'Array' instead for handling host -> pool matching, this was however dangerous;). I would like to have the IP -> pool matching outside the iRule.

Is this possible?

What can provide me with the ability to map these together and make a decision based on if there is a match?

I appreciate all help (also the 'Hey! Use the search function'-kind;) i can get and thanks in advance.

PS. But I'd prefer a link if the answer is already out there! 😉

Thanks in advance, Jonas Isaksson, 'iRuler in training'.

application delivery
devops
iRules
LTM

1 Reply

  • Jonas_Isaksson_'s avatar
    Jonas_Isaksson_
    Icon for Nimbostratus rankNimbostratus
    Apr 29, 2015

    I solved it by using a 'Data Group' that corresponds with the name of the pool.

    Also added 'X-Forwarded-For' to be used for better logging on the webservers since we use SNAT.

    when HTTP_REQUEST {
    set xff 0
    foreach x [HTTP::header names] {
        if { [string tolower $x] equals "x-forwarded-for" } {
            set xff 1
            HTTP::header remove $x
            HTTP::header insert X-Forwarded-For [IP::client_addr]
        }
    }   
    if { $xff == 0 } {
        HTTP::header insert X-Forwarded-For [IP::client_addr]
    }
    set HOST [HTTP::host]
    if {[catch {pool "P_EXT_$HOST"}] || [scan [HTTP::host] {%d.%d.%d.%d} 0 0 0 0] == 4}{
        reject
    }
    else {
        if {[class exists "DG_EXT_$HOST"] } {
            if {![class match [IP::client_addr] eq "DG_EXT_$HOST"]} {
                reject
            } else {
                pool "P_EXT_$HOST"
            }
        } else {
            pool "P_EXT_$HOST"
        }
    }
}
Related Content