AltocumulusException for GeoBlocked Country. Without Allow-Listing a specific IP
We are geo-blocking users from China, but some users are trying to ship goods and needs to see access certain guidelines regarding the types of goods that are allowed.
The security policy that governs access to this application also applies to several other applications. I am concerned that allow-listing the specific IP addresses of those users could potentially open up a security loophole.
We are in a bit of pickle and exploring the best way to address this issue without compromising security protocols. Any suggestions would be appriciated.
I tinkered and composed this iRule. I am uncertain about the last part... (ignore private.url as I don't want to post it publcily here)
when CLIENT_ACCEPTED {
# Initialize a variable to hold the block status
set blocked_ip 1
}
when HTTP_REQUEST {
# Check if the request is for the specific full URL and the client is from China
if { ([HTTP::host] equals "private.url") and
([HTTP::uri] equals "/substances-search/Substance?lang=en") and
([whereis [IP::client_addr] country] equals "CN") } {
# Tentatively allow access, pending the ASM check
set blocked_ip 0
}
}
when ASM_REQUEST_DONE {
# Check if the request is blocked by ASM
if { [ASM::status] eq "blocked" } {
# If it's due to geolocation and the specified conditions are met, unblock
if { [ASM::violation names] contains "VIOLATION_ILLEGAL_GEOLOCATION" and
$blocked_ip == 0 } {
ASM::unblock
log local0. "[ASM::violation_data] unblocked for [IP::client_addr]"
} else {
# For other violations, ensure the request remains blocked
set blocked_ip 1
}
}
}
when HTTP_RESPONSE {
# If the block status is true, respond with a 403 Forbidden
if { $blocked_ip == 1 and
[ASM::status] eq "blocked" and
![ASM::violation names] contains "VIOLATION_SQL_INJECTION" } {
HTTP::respond 403 content "Access denied" "Content-Type" "text/plain" "Connection" "close"
}
}
Hi dbaimakov,
You can use two waf policies and disable the geolocation control in one policy.
