Blocking access to certain URI except from IP Address

Question

Hi All,&nbsp;
 &nbsp;
I am trying to block access to the admin sections of my website, unless the request comes from one of my public IP addresses.&nbsp;
 &nbsp;
The rule I tried to implement looks like this:&nbsp;
 &nbsp;
 &nbsp;
when HTTP_REQUEST {&nbsp;
    if { [HTTP::host] equals "www.mywebsite.com.au" and [HTTP::uri] equals "/provider/faces/provider.jspx" or "/faces/admin.jspx" or "/reporting/BOE/BI" and !([matchclass [IP::remote_addr] equals $::MyPublicAddressPool ]) } {&nbsp;
        reject&nbsp;
    }&nbsp;
    else {&nbsp;
        return&nbsp;
    }&nbsp;
}&nbsp;
 &nbsp;
 &nbsp;
It is based on another example I saw in the forums.  The trouble is, when I implement this iRule, it ends up blocking all traffic to my website, rather than just the admin URI listed above.&nbsp;
 &nbsp;
Could someone point me to where I am going wrong?  I don't think I'm that far. off.&nbsp;
 &nbsp;
 &nbsp;
 &nbsp;
Thanks in advance.&nbsp;

kevin_stewart · Answer

I think the problem is in the grouping. Try this:

when HTTP_REQUEST {
if { ( [HTTP::host] equals "www.mywebsite.com.au" ) and ( ( [string tolower [HTTP::uri]] equals "/provider/faces/provider.jspx" ) or ( [string tolower [HTTP::uri]] equals "/faces/admin.jspx" ) or ( [string tolower [HTTP::uri]] equals "/reporting/BOE/BI" ) ) and not ( [matchclass [IP::remote_addr] equals $::MyPublicAddressPool ] ) } {
reject
}
}

jimmasters_1227 · Answer

Thanks Kevin.  I'll give it a try.

jimmasters_1227 · Answer

I got it working using a HTTP::respond statement.  The reject statement was causing problems and was blocking all traffic instead of just the Admin URI.  I also removed the URL section from the beginning as this iRule is only applied to a single VIP. 
&nbsp;  
&nbsp; when HTTP_REQUEST { 
&nbsp;     if { ( ( [string tolower [HTTP::uri]] equals "/provider/faces/provider.jspx" ) or ( [string tolower [HTTP::uri]] equals "/faces/admin.jspx" ) or ( [string tolower [HTTP::uri]] equals "/reporting/BOE/BI" ) ) and not( [matchclass [IP::remote_addr] equals $::MyIPAddressRange ] ) } { 
&nbsp;         HTTP::respond 200 content "URL Denied" 
&nbsp;         return 
&nbsp;     } 
&nbsp; }

jnon · Answer

Are you on 9x code? if your on 10.x or greater you need to change the matchclass out for class match and remove $:: to take advantage of CMP

Forum Discussion

Blocking access to certain URI except from IP Address

4 Replies

Win Big in Vegas: The iRules Contest is back with $5k on the line at AppWorld 2026

Jürgen - February 2026 Featured Member

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

Restore configuration to GTM Sync Group device

Questions on device trust

BIG‑IQ: Adding rSeries/Velos Devices through the REST API

Viprion End of Software Support (EoSS)

AppWorld DC Booth Kiosk Generator

Related Content

Logging/Blocking possible prompt injection

F5 Distributed Cloud - Traffic Steering based on Client IP Address

Service Extensions with SSL Orchestrator: Advanced Blocking Pages

Block IP after a number of ASM Blocks

Addressing Shadow AI with F5 BIG-IP SSL Orchestrator

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS