Forum Discussion
ottleydamian
Cirrus
CirrusBlock request based on domains
In migrating from Microsoft TMG to F5 I noticed that the TMG allowed/blocked users based on domains and not IP addresses. This is specific for MS Exchange EWS service. I don't have a test F5 device.
- Will the following iRule work?
- Also, since EWS is just an API, is either of the iRules below preferred over the other?
Note: I writing this freehand so expect syntax errors
when HTTP_REQUEST {
switch (not ([string tolower "[HTTP::host]")) {
"abc.domain.com" -
"xyz.mydomain.com" -
"qwerty.mydomain.com" {
log local0. "Rejected domain [HTTP::host]"
reject
}
}
}
OR
when HTTP_REQUEST {
switch (not ([string tolower "[HTTP::host]")) {
"abc.domain.com" -
"xyz.mydomain.com" -
"qwerty.mydomain.com" {
log local0. "Rejected domain [HTTP::host]"
HTTP::respond 404 noserver content {
<html>
<head>
<title>404 Error Page</title>
</head>
<body>
The page you are trying to access doesn't exist<br>
</body>
</html>
}
}
}
}Hi ottleydamian,
Line 2 is not valid. You can create a data-group and use it in iRule.
Data-group:
ltm data-group internal domain_list { records { abc.domain.com { } xyz.mydomain.com { } qwerty.mydomain.com { } } type string }iRule:
when HTTP_REQUEST { if { not ([class match [string tolower [HTTP::host]] equals domain_list]) } { log local0. "Rejected domain [HTTP::host]" reject # or # HTTP::respond 404 noserver content "<html>...</html>" } }The system applies iRules in the order in which it appears in list. You can use "priority" command.
