Forum Discussion
Tony2020
Nimbostratus
NimbostratusBetter way to match different URI based on XFF and different data group with IP
Hi All,
I was wondering if anyone can point out or suggest a better or more effcient way to put together the two logic together in this code.
Data group:
- Data group with IP 1.1.1.1/32 & 1.1.1.2/32 & 5.5.5.0/24 called "DG-XFF-EXTERNAL-ALLOWED-IP"
- Data group with IP 2.2.2.1/32 and 2.2.2.2/32 called "DG-XFF-INTERNAL-ALLOWED-IP"
Requirement:
if the external users IP is in "DG-XFF-EXTERNAL-ALLOWED-IP" and they go to URI "/externalURI" they are allowed in based on XFF IP matching, otherwise they will be rejected
if users IP is in "DG-XFF-INTERNAL-ALLOWED-IP" and they go to URI "/internalURI" they are allowed in based on XFF IP matching, otherwise the will be rejected
when HTTP_REQUEST {
set CHECK_IP [getfield [HTTP::header values X-Forwarded-For] " " 1]
switch -glob [HTTP::uri] {
“/externalURI“ {
if { ! ([class match $CHECK_IP eq DG-XFF-EXTERNAL-ALLOWED-IP) } {
reject
}
}
switch -glob [HTTP::uri] {
“/InternalURI“ {
if { ! ([class match $CHECK_IP eq DG-XFF-INTERNAL-ALLOWED-IP) } {
reject
}
}
}
}Thank you!
JGCumulonimbus
Try this modified one:
when HTTP_REQUEST { foreach CHECK_IP [split [string map [list " " ""] [HTTP::header "X-Forwarded-For"]] ","] { switch -glob [string tolower [HTTP::path]] { "/externaluri" { if { ! ([class match $CHECK_IP eq DG-XFF-EXTERNAL-ALLOWED-IP]) } { reject } } "/internaluri" { if { ! ([class match $CHECK_IP eq DG-XFF-INTERNAL-ALLOWED-IP]) } { reject } } default { } } } }.