Forum Discussion

iRule's avatar
iRule
Icon for Cirrus rankCirrus
Dec 29, 2021

Block admin URLs for internet users only

Dear Community,

I need to block few admin URLs and its subdirectories from internet only. The URLs should be accessible from internal private IPs of organization.

 

Following needs to be blocked.

 

https://hostname.com/admin/*

https://hostname.com/login/*

https://hostname.com/manage/*

https://hostname.com/account/*

 

 

Please inform how to modify following iRule to accomplish above requirement.

 

https://support.f5.com/csp/article/K74012450

 

when CLIENT_ACCEPTED {

    log local0. "Client IP address is: [clientside {IP::remote_addr}]"

}

 when HTTP_REQUEST {

    log local0. "HTTP Path = [HTTP::path]"

    log local0. "HTTP Host = [HTTP::host]"

if { ([HTTP::host] eq "hostname.example.com") and ([HTTP::path] eq "/test/login") } {

    switch -glob [class match [IP::client_addr] eq private_net] {

        "1" {

            log local0. "The IP is private"

            pool HTTP_Pool

        }

        default {

            log local0. "The IP is public"

            set content "No Access"

            HTTP::respond 403 content $content

            unset content

        }

    }

}

   else {

        log local0. "Access to other URLs, granted to any IP"

        pool HTTP_Pool

   }

}

 

 

Warm Regards

  • Hi,

    Create an address data group and add private IPs to the data group.

    iRule (Change the datagroupname):

    when HTTP_REQUEST {
    	switch -glob [string tolower [HTTP::uri -normalized]] {
    		"/admin/*" -
    		"/login/*" -
    		"/manage/*" -
    		"/account/*" { 
    			if { not [class match [IP::client_addr] equals datagroupname] } {
    				drop
    				return
    			}
    		}
    	}
    }
  • Hi,

    Create an address data group and add private IPs to the data group.

    iRule (Change the datagroupname):

    when HTTP_REQUEST {
    	switch -glob [string tolower [HTTP::uri -normalized]] {
    		"/admin/*" -
    		"/login/*" -
    		"/manage/*" -
    		"/account/*" { 
    			if { not [class match [IP::client_addr] equals datagroupname] } {
    				drop
    				return
    			}
    		}
    	}
    }
    • iRule's avatar
      iRule
      Icon for Cirrus rankCirrus

      Thank You Enes for your response,

       

      I have managed to accomplish the task by using following iRule after reviewing iRule guide at https://clouddocs.f5.com/api/irules/. But this iRule is working in case sensitive manner. If I use hostname.example.com/admin/etc or hostname.example.com/account/money this iRule works fine but if I use hostname.example.com/Admin/etc or hostname.example.com/Account/money the iRule does not work.

      Please inform how I can make this iRule non-case sensitive.

       

      ========================

      when CLIENT_ACCEPTED {

        log local0. "Client IP address is: [clientside {IP::remote_addr}]"

      }

       when HTTP_REQUEST {

        log local0. "HTTP URI = [HTTP::uri]"

        log local0. "HTTP Host = [HTTP::host]"

      if { ([HTTP::host] eq "hostname.example.com") and ([[HTTP::uri]] starts_with "/admin/etc* or [HTTP::uri]] starts_with "/account/money" or [HTTP::uri]] starts_with "/login/test" or [HTTP::uri]] starts_with "/manage/team") } {

        switch -glob [class match [IP::client_addr] eq private_net] {

          "1" {

            log local0. "The IP is private"

            pool My_Pool

          }

          default {

            log local0. "The IP is public"

            set content "No Access"

            HTTP::respond 403 content $content

            unset content

          }

        }

      }

        else {

          log local0. "Access to other URLs, granted to any IP"

          pool My_Pool

        }

      }

      ========================

       

      Warm Regards

      • Hi,

         

        Use [string tolower [HTTP::uri]] instead of [HTTP::uri]

         

        etc* is misspelled. Replace with etc"