For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Bubbagump_12531's avatar
Bubbagump_12531
Icon for Nimbostratus rankNimbostratus
Dec 05, 2012

Drop or send to pool based on source IP AND host address

I am trying to emulate the ability in Apache to accept or drop traffic to a particular vhost based on IP. So for instance, my Apache's vhost config says:

Order deny,allow

Deny from All

Allow from 192.168.30.0/24

Allow from 192.168.15.0/24

Allow from 10.1.20.0/24

However the 10 network comes from my LTM, so any host hitting the virtual IP would show to Apache as a good IP. What I have tried is create an address type datagroup called localnets which includes:

192.168.30.0/255.255.255.0

192.168.15.0/255.255.255.0

Then my irule reads as:

when HTTP_REQUEST {

if { ([HTTP::host] matches "myapp.somehost.com") and 

[
class
match [
IP::client_addr
] 
equals
localnets]
} {

pool /Common/pool_ruby_http

} else {

discard

}

}

However this fails with errors all over. My guess is that I am trying to do a layer 7 and layer 3 check in the same rule and this is not allowed. I have seen the examples on here that either work on ONLY source IP or ONLY HTTP host, but not a combination. Where do I start?

application delivery
dev
devops
iRules

4 Replies

  • Bubbagump_12531's avatar
    Bubbagump_12531
    Icon for Nimbostratus rankNimbostratus
    Dec 05, 2012

    That worked. Excellent. now I am stuck on part two of this.

     

     

    I only want this iRule to apply to requests with that host there fore I added an extra else if

     

     

    when HTTP_REQUEST {

     

    if { ([HTTP::host] matches "myapp.somehost.com") and [class match [IP::client_addr] equals localnets]} {

     

    pool /Common/pool_ruby_http

     

    } elseif { ([HTTP::host] matches "myapp.somehost.com") and [class match [IP::client_addr] equals not localnets]} {

     

    discard

     

    }

     

    }

     

     

    I can find all sorts of documentation on how to make positive logic, but not negative.... thus I am just guessing on combinations of 'not equals', !equals etc and seeming to not get anywhere.

     

     

    EDIT: I think I got it

     

     

     

    when HTTP_REQUEST {

     

    if { ([HTTP::host] matches "myapp.somehost.com") and [class match [IP::client_addr] equals localnets]} {

     

    pool /Common/pool_ruby_http

     

    } elseif { ([HTTP::host] matches "myapp.somehost.com") and not [class match [IP::client_addr] equals localnets]} {

     

    discard

     

    }

     

    }

     

     

    Am I right?

     

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Dec 05, 2012
    Yep. Nice work in figuring it out.

     

     

    Another thing to consider is requests with a host header that isn't myapp.somehost.com. It would be trivial for a user to set whatever host header they want with a hosts file entry pointing to the public IP address of your virtual server. Or they could just use the IP address. In that case, the requests wouldn't match your iRule logic and would go to the virtual server's default pool if one is defined.

     

     

    To address this, you could either not check the host header or not have a default pool on the virtual server.

     

     

    Aaron
  • Bubbagump_12531's avatar
    Bubbagump_12531
    Icon for Nimbostratus rankNimbostratus
    Dec 05, 2012
    Yup, already had that figured out and have a default pool that gives you a "Go back from whence you came" message. Thanks guys!