For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

esexon_27963's avatar
esexon_27963
Icon for Nimbostratus rankNimbostratus
Jun 19, 2012

Help with IRule

Hello again.

 

 

I am having issues with my iRule.

 

 

 

Running code BIG-IP 10.2.1 Build 297.0 Final

 

 

 

iRule

 

---------------------------

 

 

 

when HTTP_REQUEST {

 

if { not ([matchclass [IP::client_addr] equals $::SS_CMS_Nets]) and ([matchclass [string tolower [HTTP::uri]] contains $::SS_CMS_URLs]) } {

 

HTTP::redirect "http://siteroot.com"

 

}

 

}

 

 

 

 

 

DataGroups

 

--------------------------

 

 

 

SS_CMS_NETS

 

192.168.100.0/24

 

 

 

SS_CMS_URLS

 

/cms-admin

 

 

 

What I am trying to achieve is to only allow requests to http://siteroot.com/cms-admin/ to be served to clients coming from the 192.168.100.0/24 subnet. All other clients need to be redirected back to http://siteroot.com/

 

 

 

So far all that happens is all clients irrespective of IP address get directed back to http://siteroot.com

 

 

 

Can someone please help figure out what I am doing wrong here?

 

 

Many thanks in advance,

 

 

Evan

 

 

application delivery
dev
devops
iRules

4 Replies

  • Michael_Yates's avatar
    Michael_Yates
    Icon for Nimbostratus rankNimbostratus
    Jun 19, 2012
    Hi esexon,

    You could change your logic a little bit and save yourself some unnecessary processing.

    Only trigger the verification if the URI contains "cms-admin". If it does, then check to see if they are authorized.

    Here are two different ways of doing it.... 

     
when HTTP_REQUEST { 
if { [string tolower [HTTP::uri]] contains "/cms-admin" } {
If URI matches verify that the Client has access
if { !([class match [IP::client_addr] equals AllowedNetworkList ]) } {
If they do NOT have access, do this:
HTTP::redirect "http://www.google.com"
}
}
}


when HTTP_REQUEST { 
if { [string tolower [HTTP::uri]] contains "/cms-admin" } {
If URI matches verify that the Client has access
if { [class match [IP::client_addr] equals BlockNetworkList] } {
If they DO have access, do this:
HTTP::redirect "http://www.google.com"
}
}
}

    Hope this helps.
  • Michael_Yates's avatar
    Michael_Yates
    Icon for Nimbostratus rankNimbostratus
    Jun 19, 2012
    Oh,

     

     

    In v10.x.x you should start to use "class match" instead of the v9.x.x command "matchclass".

     

     

    You can ignore the "BlockedNetworkList" Data Group Name in the second example (that is the name of the Data Group that I reused on my system and I forgot to rename it to correspond to the first example....tired to correct it but it wouldn't let me).
  • esexon_27963's avatar
    esexon_27963
    Icon for Nimbostratus rankNimbostratus
    Jun 19, 2012
    Hi, makes sense but for some reason it still doesn't work.

     

     

    It always redirects me even though my machine is one of the AllowedNetworksList IP Addresses instead of sening me to "/cms-admin"

     

     

    Is there anything else I can try,

     

     

    Thanks again for the quick reply.
  • esexon_27963's avatar
    esexon_27963
    Icon for Nimbostratus rankNimbostratus
    Jun 20, 2012
    This is the rule I have in place.

     

     

     

    when HTTP_REQUEST {

     

    if { [string tolower [HTTP::uri]] contains "/cms-admin" } {

     

    If URI matches verify that the Client has access

     

    if { not [class match [IP::client_addr] equals AllowedNetworkList] } {

     

    If they DO Not have access, do this:

     

    HTTP::redirect "/"

     

    }

     

    }

     

    }

     

     

     

    No matter what I do it redirects all client addresses back to the / and seems to ignore my AllowedNetworkList.

     

     

    Pulling my hair out here so would appreciate any feedback

     

     

    Many thanks,

     

    Evan