Forum Discussion
yves_werniers_1
Nimbostratus
Nimbostratusclass and v9.1.2
Hello,
It seems like the class command was introduced in v10.0, whereas matchclass was introduced in v9.0.
I am running v9.1.2. How can I cerate something classlike and use classmatch?
I want to limit connections to certain url/uri combinations based on the source ip address. I am using the X-Forwarded-For header because it is behind a reverse proxy.
This is the script I would like to use:
class hrmstest_uris {
"/hraccent/ess/client_prod"
"/hraccent/ess/login.php?company=client_prod"
"/hraccentops/ess/client_prod"
"/hraccentops/ess/login.php?company=client_prod"
}
when HTTP_REQUEST {
set my_uri [string tolower [HTTP::uri]]
if {[HTTP::host] == "www.host.com" and [matchclass $my_uri starts_with $::hrmstest_uris] } {
if { [HTTP::header X-Forwarded-For] != "ip1" and [HTTP::header X-Forwarded-For] != "ip2" and [HTTP::header X-Forwarded-For] != "ip3"}{
log local0. "\[request blocked\] : [HTTP::header X-Forwarded-For]"
drop
}
}
}
4 Replies
hoolioCirrostratus
You can use matchclass in 9.x or 10.x to evaluate an IP address or string against a class.
You might also consider adding the three IP addresses to an address type datagroup (aka class) and then use matchclass again to check the XFF header value against the datagroup.
Be aware that it's likely that attackers could bypass your logic though using obfuscation techniques:
http://devcentral.f5.com/Default.aspx?tabid=53&view=topic&postid=30900
Aaron
yves_werniers_1but the big problem is that I cannot even save that iRule. I get an error on the class line:
undefined procedure: class
any thoughts?- hoolioAh, the class definition is separate from the iRule. You define the class (called a datagroup in the GUI) under Local Traffic | iRules | Datagroup List. Then define the iRule under the iRules tab.
Aaron - yves_werniers_1yes! That's what I was missing.
thanks a lot !
