Forum Discussion
player_72606
Nimbostratus
NimbostratusFilterURI to Source IP
Hi,
I need to config an "Access-list" to permit a specific source-address to a specific uri for web-application management.
Other traffic to this uri from other source address should be directed to other uri.
how this can be done?
8 Replies
Jason_KeatingAltostratus
Hi
I would modify this from Codeshare
http://devcentral.f5.com/Wiki/default.aspx/iRules/AccessControlBasedOnIP.html
You could put the logic in a "HTTP REQUEST" event instead and wrap the if/else in the following (semi Pseudo code - cause I aint that good at iRules yet)...when HTTP_REQUEST{ if [HTTP::uri:] contains "web/application/management/uri" { if { [matchclass [IP::client_addr] equals $::trustedAddresses.......... } } }
Lookup matchclass in the iRules Wiki for examples of how to use datagroups (easy)
Hope this helps
J- player_72606What's wrong here, parse error :
when HTTP_REQUEST {
if {[[HTTP::uri] contains "GIBWeb/Screens/manage/mlogin.aspx" ]}
{if {[matchclass [IP::client_addr] equals $::web_mng]
log local0.info "Allowed client to uri: [IP::client_addr] requesting: [HTTP::uri]"}
{else
log local0. "Invalid client IP: [IP::client_addr] - discarding"
discard
}
}
} 
Nicolas_MenantEmployee
First some parse error message would be welcome ^^
You can find those in /var/log/ltm
Then your braces, brackets are not places properlywhen HTTP_REQUEST { if {[HTTP::uri] contains "GIBWeb/Screens/manage/mlogin.aspx"} { if {[matchclass [IP::client_addr] equals $::web_mng]} { log local0.info "Allowed client to uri: [IP::client_addr] requesting: [HTTP::uri]" } else { log local0. "Invalid client IP: [IP::client_addr] - discarding" discard } } }- player_72606Ok, now that the syntax is legal, the iRule itself doesn't work.
It seems that once this code is attached to the VS , all requests to this uri are blocked, the matchclass cannot find a match. 
hoolioCirrostratus
What do you have in the $::web_mng class? You can either log it using 'log local0. "\$::web_mng: $::web_mng" or paste it in. $::web_mng should be an address datagroup with a format of:network 1.0.0.0 mask 255.0.0.0 network 2.2.0.0 mask 255.255.0.0 host 3.3.3.3
If you add an entry for network 0.0.0.0 mask 0.0.0.0, do the requests get sent to the default pool?
Aaron- player_72606This is weird...
web_mng has all the networks - 0.0.0.0 / 0.0.0.0
and still there's no match on this matchclass.
The ltm log :
"Apr 16 09:11:09 tmm tmm[1648]: 01220001:3: TCL error: uri_filter_sourceip - can't read "::web_mng": no such variable while executing "matchclass [IP::remote_addr] equals $::web_mng"
anyone please? - hoolioThe datagroup/class name is case sensitive. Are you sure that the class is named exactly "web_mng"?
Aaron - Jason_KeatingDid you create the datagroup using Admin Console >> Local Traffic >> Data Groups > Create > Address ?
Could you cut and paste the section of the /config/bigip.conf containing the class, it's probably the only section starting with 'class', something like:
class a {
network 1.2.3.4/0
host 1.2.3.4
}
