Forum Discussion

Cirrus

Dec 29, 2021

Solved

Block admin URLs for internet users only

Dear Community,

I need to block few admin URLs and its subdirectories from internet only. The URLs should be accessible from internal private IPs of organization.

Following needs to be blocked.

https://hostname.com/admin/*

https://hostname.com/login/*

https://hostname.com/manage/*

https://hostname.com/account/*

Please inform how to modify following iRule to accomplish above requirement.

https://support.f5.com/csp/article/K74012450

when CLIENT_ACCEPTED {

log local0. "Client IP address is: [clientside {IP::remote_addr}]"

}

when HTTP_REQUEST {

log local0. "HTTP Path = [HTTP::path]"

log local0. "HTTP Host = [HTTP::host]"

if { ([HTTP::host] eq "hostname.example.com") and ([HTTP::path] eq "/test/login") } {

switch -glob [class match [IP::client_addr] eq private_net] {

"1" {

log local0. "The IP is private"

pool HTTP_Pool

}

default {

log local0. "The IP is public"

set content "No Access"

HTTP::respond 403 content $content

unset content

}

else {

log local0. "Access to other URLs, granted to any IP"

pool HTTP_Pool

}

Warm Regards

Hi,

Create an address data group and add private IPs to the data group.

iRule (Change the datagroupname):

when HTTP_REQUEST {
	switch -glob [string tolower [HTTP::uri -normalized]] {
		"/admin/*" -
		"/login/*" -
		"/manage/*" -
		"/account/*" { 
			if { not [class match [IP::client_addr] equals datagroupname] } {
				drop
				return
			}
		}
	}
}

3 Replies

Enes_Afsin_Al
MVP
Dec 29, 2021
Hi,
Create an address data group and add private IPs to the data group.
iRule (Change the datagroupname):
when HTTP_REQUEST { switch -glob [string tolower [HTTP::uri -normalized]] { "/admin/*" - "/login/*" - "/manage/*" - "/account/*" { if { not [class match [IP::client_addr] equals datagroupname] } { drop return } } } }
- iRule
  Cirrus
  Dec 29, 2021
  Thank You Enes for your response,
  
  I have managed to accomplish the task by using following iRule after reviewing iRule guide at https://clouddocs.f5.com/api/irules/. But this iRule is working in case sensitive manner. If I use hostname.example.com/admin/etc or hostname.example.com/account/money this iRule works fine but if I use hostname.example.com/Admin/etc or hostname.example.com/Account/money the iRule does not work.
  Please inform how I can make this iRule non-case sensitive.
  
  ========================
  when CLIENT_ACCEPTED {
    log local0. "Client IP address is: [clientside {IP::remote_addr}]"
  }
  when HTTP_REQUEST {
    log local0. "HTTP URI = [HTTP::uri]"
    log local0. "HTTP Host = [HTTP::host]"
  if { ([HTTP::host] eq "hostname.example.com") and ([[HTTP::uri]] starts_with "/admin/etc* or [HTTP::uri]] starts_with "/account/money" or [HTTP::uri]] starts_with "/login/test" or [HTTP::uri]] starts_with "/manage/team") } {
    switch -glob [class match [IP::client_addr] eq private_net] {
      "1" {
        log local0. "The IP is private"
        pool My_Pool
      }
      default {
        log local0. "The IP is public"
        set content "No Access"
        HTTP::respond 403 content $content
        unset content
      }
    }
  }
    else {
      log local0. "Access to other URLs, granted to any IP"
      pool My_Pool
    }
  }
  ========================
  
  Warm Regards
  - Enes_Afsin_Al
    MVP
    Dec 29, 2021
    Hi,
    
    Use [string tolower [HTTP::uri]] instead of [HTTP::uri]
    
    etc* is misspelled. Replace with etc"