Forum Discussion

iRule's avatar
iRule
Icon for Cirrus rankCirrus
Dec 29, 2021

Block admin URLs for internet users only

Dear Community, I need to block few admin URLs and its subdirectories from internet only. The URLs should be accessible from internal private IPs of organization.   Following needs to be blocked...
application delivery
iRules
LTM
security
  • Enes_Afsin_Al's avatar
    Enes_Afsin_Al
    Dec 29, 2021

    Hi,

    Create an address data group and add private IPs to the data group.

    iRule (Change the datagroupname):

    when HTTP_REQUEST {
	switch -glob [string tolower [HTTP::uri -normalized]] {
		"/admin/*" -
		"/login/*" -
		"/manage/*" -
		"/account/*" { 
			if { not [class match [IP::client_addr] equals datagroupname] } {
				drop
				return
			}
		}
	}
}
Enes_Afsin_Al's avatar
Enes_Afsin_Al
Icon for MVP rankMVP
Dec 29, 2021

Hi,

Create an address data group and add private IPs to the data group.

iRule (Change the datagroupname):

when HTTP_REQUEST {
	switch -glob [string tolower [HTTP::uri -normalized]] {
		"/admin/*" -
		"/login/*" -
		"/manage/*" -
		"/account/*" { 
			if { not [class match [IP::client_addr] equals datagroupname] } {
				drop
				return
			}
		}
	}
}
  • iRule's avatar
    iRule
    Icon for Cirrus rankCirrus
    Dec 29, 2021

    Thank You Enes for your response,

     

    I have managed to accomplish the task by using following iRule after reviewing iRule guide at https://clouddocs.f5.com/api/irules/. But this iRule is working in case sensitive manner. If I use hostname.example.com/admin/etc or hostname.example.com/account/money this iRule works fine but if I use hostname.example.com/Admin/etc or hostname.example.com/Account/money the iRule does not work.

    Please inform how I can make this iRule non-case sensitive.

     

    ========================

    when CLIENT_ACCEPTED {

      log local0. "Client IP address is: [clientside {IP::remote_addr}]"

    }

     when HTTP_REQUEST {

      log local0. "HTTP URI = [HTTP::uri]"

      log local0. "HTTP Host = [HTTP::host]"

    if { ([HTTP::host] eq "hostname.example.com") and ([[HTTP::uri]] starts_with "/admin/etc* or [HTTP::uri]] starts_with "/account/money" or [HTTP::uri]] starts_with "/login/test" or [HTTP::uri]] starts_with "/manage/team") } {

      switch -glob [class match [IP::client_addr] eq private_net] {

        "1" {

          log local0. "The IP is private"

          pool My_Pool

        }

        default {

          log local0. "The IP is public"

          set content "No Access"

          HTTP::respond 403 content $content

          unset content

        }

      }

    }

      else {

        log local0. "Access to other URLs, granted to any IP"

        pool My_Pool

      }

    }

    ========================

     

    Warm Regards

    • Enes_Afsin_Al's avatar
      Enes_Afsin_Al
      Icon for MVP rankMVP
      Dec 29, 2021

      Hi,

       

      Use [string tolower [HTTP::uri]] instead of [HTTP::uri]

       

      etc* is misspelled. Replace with etc"