Forum Discussion
Help with iRule
Good day all!
I have the following iRule:
when HTTP_REQUEST {
if { ([HTTP::host] eq "lists.example.com") and ([HTTP::uri] eq "/cgi-bin/wa?INDEX" || [HTTP::uri] eq "/cgi-bin/wa?MOD" || [HTTP::uri] eq "/cgi-bin/wa?SYSCFG" || [HTTP::uri] eq "/cgi-bin/wa?OWNER" || [HTTP::uri] eq "/cgi-bin/wa?INDEX=" || [HTTP::uri] eq "/cgi-bin/wa?LOGON" || [HTTP::uri] eq "/cgi-bin/wa?LOGON=INDEX" || [HTTP::uri] eq "/cgi-bin/wa?LOGON=" || [HTTP::uri] eq "/cgi-bin/wa?ADMINDASH" || [HTTP::uri] eq "/cgi-bin/wa?LSTCR1") } {
switch -glob [class match [IP::client_addr] eq "LISTSERV-TST_Allowed_IPs"] {
"1" {
return
}
default {
HTTP::redirect "https://www.google.com/"
}
}
}
else {
return
}
}
As you can see, it is inefficient, and it doesn't account for all possibilities. Let me explain what I am aiming.
If an `HTTP_REQUEST` comes to "lists.example.com" (`[HTTP::host]`), and the URI (`[HTTP::uri]`) isn't "/cgi-bin/wa?SUBEDIT1*" (that is, "cgi-bin/wa?SUBEDIT1", and anything after it), redirect it unless it is from an IP on the "LISTSERV-TST_Allowed_IPs", in which case, allow anything on the URI and continue to it.
What would you do?
You can negate that second IF as well to avoid the else
when HTTP_REQUEST priority 500 { if { (![class match -- [IP::client_addr] eq "LISTSERV-TST_Allowed_IPs"]) && !(([HTTP::host] eq "lists.example.com") && ([HTTP::uri] matches_glob "/cgi-bin/wa?SUBEDIT1*")) } { HTTP::redirect "https://www.google.com" } }
- JRahmAdmin
Hi Fastidious , untested, but I think this is close to what you're looking for:
when HTTP_REQUEST priority 500 { if { ([HTTP::host] eq "lists.example.com") && ([HTTP::uri] matches_glob "/cgi-bin/wa?SUBEDIT1*") } { if { ![class match -- [IP::client_addr] eq "LISTSERV-TST_Allowed_IPs"] } { HTTP::redirect "https://www.google.com" } } }
- JRahmAdmin
I'm a little fuzzy on your "isn't" clause for the /cgi-bin requirement, so that might need to be negated or the logic cleaned up a bit.
- FastidiousAltostratus
JRahmthank you, and very close! I want every client not on "LISTSERV-TST_Allowed_IPs" to be allowed to access line 2, but only line 2. Redirect is there is no match.
Allow access to everything matching "/cgi-bin/wa*" to every client on "LISTSERV-TST_Allowed_IPs" data group.
- FastidiousAltostratus
Would something like this work?
when HTTP_REQUEST priority 500 { if { ([HTTP::host] eq "lists.example.com") && ([HTTP::uri] matches_glob "/cgi-bin/wa?SUBEDIT1*") } { return } else { HTTP::redirect "https://www.google.com" } if { [class match -- [IP::client_addr] eq "LISTSERV-TST_Allowed_IPs"] } { return } }
- FastidiousAltostratus
Or this, rather:
when HTTP_REQUEST priority 500 { if { ![class match -- [IP::client_addr] eq "LISTSERV-TST_Allowed_IPs"] } { if { ([HTTP::host] eq "lists.example.com") && ([HTTP::uri] matches_glob "/cgi-bin/wa?SUBEDIT1*") } { return } else { HTTP::redirect "https://www.google.com" } } }
I know we are close, so I am not certain on how to "wrap it up". 😅
- zamroni777Nacreous
if youre not familiar with programming, use the gui based local traffic policy and/or asks developer team to help
- JRahmAdmin
traffic policies are certainly a good option if you don't already have iRules in place. Personally, if I have any iRules on a virtual, I'll stick with iRules so I'm not splitting the logic into multiple sources of responsibility. But, if it can all be done in a policy (or multiple policies) that's the better path.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com