Forum Discussion
NimbostratusBlocking admin uri via IP address and keyword?
Hello All,
Is there a proper way to block access to admin URIs using a a keyword and IP address? Such as, if the request comes from 192.168.0.0/16 space and contains /platform/* allow the connection. If those two things don't match, drop the request?
I've used this from CodeShare, however, it doesn't look for the IP address variable.
when HTTP_REQUEST {
switch -glob [string tolower [HTTP::uri]] {
"/platform/*" { reject }
default { return }
}
}
So it just blocks my Web Admins from being able to use the console for edits. All in all, i'm looking for some direction to employ best practices in doing something like this.
Thank you in advance!
2 Replies
SnlCirrostratus
Try below
1)Created Data group list as allowed-host and added the IP 192.168.0.0/16
2) created below irule and called the data group list allowed-host
Code/ when HTTP_REQUEST { if { ( [string tolower [HTTP::uri]] contains "/platform/*" ) } { if { not ( [class match [IP::client_addr] equals allowed-host] ) } { reject } } }- Kai_Wilke
MVP
Hi haxzorian,
to make your black-list more robust and to include the required IP exemptions, you may take a look to the iRule samples below.
Example1: Using a matching condition which isn't prone to escaping sequences
when HTTP_REQUEST { if { ( [string tolower [HTTP::path]] stats_with "/platform" ) and not ( [class match [IP::client_addr] equals allowed-host] ) } then { Reject the request reject } else { Allow the request } }Example2: Utilizing a
command to unescape possible URI escape sequences.[URI::decode]when HTTP_REQUEST { if { ( [URI::decode [string tolower [HTTP::path]]] stats_with "/platform/" ) and not ( [class match [IP::client_addr] equals DG_Allowed_IPs] ) } then { Reject the request reject } else { Allow the request } }Note: Both examples should work stable even if a bad guy requests a URL like https://www.yoursite.de/platform
somefolder/somepage.php%2FCheers, Kai
