Forum Discussion
Vidas
Nimbostratus
NimbostratusEvaluate String against data-group of IP data
Hello to all,
I have AKAMAI as a CDN provider in front of my F5 published services. I have configured a data-group of type "Address" and before AKAMAI, I checked if the client IP could be found in this data-group and allowed access towards a specific path:
"/uri_path*" {
pool server-pool
if { !([class match [IP::client_addr] equals dg_allowed_ips])} {
HTTP::respond 403 content ""
log local0. "tried to connect to ret from [IP::client_addr]"
}
}
Now after introducing AKAMAI, since the client IP is replaced by that of the connecting AKAMAI server, I needed to get the actual client IP using a custom header:
if { ([HTTP::header exists "True-Client-IP"]) and ([HTTP::header "True-Client-IP"] != "") } {
set True_Client_IP [HTTP::header "True-Client-IP"]
} else {
set True_Client_IP [IP::client_addr]
}
If I change the evaluation to use this new variable, it basically never matches since the variable is of type "string" whereas the data group contains IPs:
"/uri_path*" {
pool server-pool
if { !([class match $True_Client_IP equals dg_allowed_ips])} {
HTTP::respond 403 content ""
log local0. "tried to connect to ret from $True_Client_IP"
}
}
So the question becomes: can I evaluate a string over a an IP data-group? Can I somehow change the variable type to be IP?
Thank you all
- Kevin_Stewart
Employee
Technically, [IP::client_addr] also returns a string. Are you getting any logic errors in the LTM log?
Try logging the value of True_Client_IP to see if maybe there's some anomalous characters in the value.
log local0. "|${True_Client_IP}|" 
VidasNo, I don't get any errors in the logs. I've also inserted the extra logging, and it correctly includes the IP without any special characters.
- Kevin_Stewart
What do the address values look like in your data group?
And what BIG-IP version?
I've tested this login on a 17.0 box and it appears to work fine.
