Forum Discussion

Nimbostratus

Oct 14, 2013

Drop single request based on header value

We are trying to setup an iRule that will drop a request that has a matching IP in a datagroup. In this scenario, the connections are persistent so all of the HTTP requests are coming down the same c...

Employee

Oct 14, 2013

Yours should work, but here's a minor modification:

when HTTP_REQUEST {
    if { ( [HTTP::header exists True-Client-IP] ) and not ( [HTTP::header True-Client-IP] equals "127.0.0.1" ) } {
        set trueIP [HTTP::header True-Client-IP]
    } else {
        set trueIP [IP::client_addr]
    }
    if { [class match $trueIP equals block_list] } {
        discard
    }
}

You're allowing the client, or perhaps an upstream proxy, to set a header (True-Client-IP). If that header exists, use it in the class match, otherwise use the client's IPas seen by the F5. If a match is found, discard the request. Is that your intention?

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)