Forum Discussion
NimbostratusBased on the 2 specific string in the URL allow , then restrict ony few incoming IP addresses.
Thank you in advance for help with this. I need to allow / restrict access to the application for the situation where same VIP will be hit for the following two cases:
Use case 1) ogw/web context Users -- > VIP x.x.x.x (F5) -- >If the context of the application is: https://int.entservices.com/abc_services/ogw/web/**** , F5 should allow all the request (no IP restriction).
Use case 2) For EMFBus context root, the request should be restricted based on IPs. Users -- > VIP x.x.x.x (F5) -- >If the context of the application is: https://int.entservices.com/abc_services/EMFBus/**** , F5 should allow the request based on the allowed IPs only. Here is the list of IPs Allow from 204.14.232.0/23 For East Coast Data Center (set one) Allow from 204.14.238.0/23 For West Coast Data Center (set two) Allow from 96.43.144.64/31 For Email service Allow from 96.43.148.64/31 For Email service + dozen more
Will it be one iRule or combication of more then one iRules ?
Thanks, Zahid.
5 Replies
JPV_131616Cirrus
simple solution...
create a single irule which checks the context [HTTP::uri] == "/abc" or "/123" (app uri, e.g. /abc, or /123) for each case.
for case1 where no IP restriction is required, just route to pool for that app.
for case2, put the retricted src_ips in a datagroup, then after checking for that uri in http request, check for the src_ip via datagroup, if not there, reject, otherwise route to pool for that app.
I can provide an example irule if required, let me know.
thx
zahid_113975Thank youfor that much appreciated. Yes please an example would be nice. that is where I was struggling.
Thanks.
- JPV_131616
first create datagroup with whatever name you want (e.g. APPNAME_ALLOWED_IP) - add the src ips you want in the list to be allowed to access app2 uri.
when HTTP_REQUEST { if {$uri starts_with "/wideopenapp" } { pool wideopenapp_pool } if { $uri starts_with "/restrictedapp" } { if { [class match [IP::remote_addr] equals APPNAME_ALLOWED_IP] }{ pool appname_pool_restricted } } else does nada } } } when HTTP_REQUEST { set HOST_NAME "webserver.local" set NO_IP_RESTRICTION_PATH "/app1" set IP_RESTRICTED_PATH "/app2" set DEBUG 1 if { $DEBUG } { log local0. "DEBUG: [HTTP::host] [HTTP::path] [IP::client_addr]" } if { [HTTP::host] == $HOST_NAME } { if { ! ([HTTP::path] starts_with $NO_IP_RESTRICTION_PATH) } { if { [HTTP::path] starts_with $IP_RESTRICTED_PATH } { set clientip [IP::client_addr] if { ! ([class match $clientip equals FOX_SALESFORCE_SUBNETS]) } { reject } } } } }- I was working on this while JPV was posting - I'm too slow :-) In my version I tried to simplify it as best I could, and it is one iRule that does both fuctions. I Ran a little bit of testing and it seems to work. Please give it a test.
