For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

cbarnett_13782's avatar
cbarnett_13782
Icon for Nimbostratus rankNimbostratus
Feb 16, 2009

Block ssl requests by ip

We need to test out a website befor we roll it out to production. So to test we want to only allow certian IP addresses accessing a virtual server. I have this working nicely for the HTTP virtual serv...
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Feb 16, 2009
Because the client IP address will always be the same for the duration of the TCP connection, it would be more efficient to check it once in CLIENT_ACCEPTED (triggered when a client establishes a TCP connection) versus in HTTP_REQUEST (triggered when the HTTP headers in an HTTP request are parsed). This would also allow you to use the same iRule for both VIPs.

You can use the IP::addr (Click here) command to evaluate a single IP address or subnet against a second single IP address or subnet. Or if you have multiple IP addresses/subnets you want to check you can use a datagroup and the matchclass (Click here) command.

Here is an example of using IP::addr: 

 
 when CLIENT_ACCEPTED { 
  
     Check if client IP is part of the subnet we want to allow 
    if {[IP::addr [IP::client_addr] equals 10.0.0.0/8]}{ 
  
        Specify the pool 
       pool WEBPOOL 
  
    } else { 
  
        Reset the TCP connection 
       reject 
    } 
 }

Aaron