For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Chris_Miller's avatar
Chris_Miller
Icon for Altostratus rankAltostratus
Jun 28, 2010

Bit of Trouble iRule Logic

I have an iRule that handles persistence but also want to add logic that allows certain IPs to hit specific directories. I've defined a datagroup with the addresses that can hit these specific direct...
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Jun 28, 2010
Maybe something like this? 


when CLIENT_ACCEPTED {

    Check client IP against the white list once per TCP connection
   if {[matchclass [IP::client_addr] equals whitelist]}{
      set check_uri 1
   } else {
      set check_uri 0
   }
}
when HTTP_REQUEST {

    Check the URI if the client IP was in the whitelist or if the True-Client-IP header is
   if { $check_uri or ([HTTP::header "True-Client-IP"] ne "" and [matchclass [HTTP::header "True-Client-IP"] equals whitelist)}{

       Check the requested URI
      switch -glob [HTTP::uri] {
         "*1A1*" { pool 1A1 }
         "*1A2*" { pool 1A2 }
      }
       The default action is to use the VS's default pool
   }
}

As you're only assigning a pool in some cases, you'll want to use a OneConnect profile on the VS. If you're not using SNAT on the VS, it would be good to use a custom OC profile with the source mask set to 255.255.255.255. This ensures the client IP is accurate in the server logs.

Aaron