Forum Discussion
ChristerB_10333
Nimbostratus
NimbostratusBlocking a country and sending request to a pool
Hi!
I'm currently blocking some countries with an iRule using Geolocation and a data group list.
The iRule looks like this
when HTTP_REQUEST {
if { [matchclass [whereis [IP::client_addr] country] eq $::blocked_countries] } {
HTTP::redirect "http://no-access.com"
}
}
But I don't want to waste public IPs and want to send the request to a pool with servers that has some explaining text.
I can reject, drop or redirect to http but is it even possible to send to a pool?
//ChristerB
hooleylistCirrostratus
Hi Christer,
Yes, you can replace the HTTP::redirect with a pool statement.
For 9.4.4+ make sure to reference datagroups without the $:: or :: prefix. Else, the lookup will fail in 10.x. Also, you can replace matchchlass with class:when CLIENT_ACCEPTED { Check once per TCP connection if the country for the client IP is in the blocked country datagroup if { [class match [whereis [IP::client_addr] country] eq blocked_countries] } { pool blocked_pool } else { pool [LB::server pool] } }
Aaron
ChristerB_10333Thank you Hoolio. I can't get it to work. I will have a look at it and see if I can figure out how to use it.
/ChristerB- hooleylistActually, the whereis was added in 10.1.0, so you'd need to be on that version or higher to use this iRule. If it's not working on one of those versions, you can add debug logging:
when CLIENT_ACCEPTED { log local0. "[IP::client_addr]:[TCP::client_port]: whereis: [whereis [IP::client_addr] country], class match: [class match [whereis [IP::client_addr] country] eq blocked_countries]" Check once per TCP connection if the country for the client IP is in the blocked country datagroup if { [class match [whereis [IP::client_addr] country] eq blocked_countries] } { pool blocked_pool } else { pool [LB::server pool] } }
Aaron - ChristerB_10333We are on version 10.2.0 Build 1707.0 so it should work then. I'll dig in to it today and see what I can do :-)
/ChristerB