Jason_19901
Apr 07, 2011Nimbostratus
Help with iRule
here is my requirement:
This iRule will be applied to an already existing virtual service for payme.example.com
+ Deny all access to URI payme.example.com/nfm (and all subdirectories) from all IP sources
+ These following IP addresses (create datagroup) are allowed to URI payme.example.com/*.asmx
222.27.26.151, 222.27.26.152, 222.38.4.248, 222.27.16.165, 222.27.16.169
+ Deny all access to URI payme.example.com/*.asmx from all other IP sources
+ Allow all access to URI payme.example.com/ (and all remaining subdirectories) from all IP sources
This iRule will be applied to an already existing virtual service for upayme.example.com
+ Deny all access to URI upayme.example.com/nfm (and all subdirectories) from all IP sources
+ These following IP addresses (create datagroup) are allowed to URI upayme.example.com/*.asmx
222.27.26.148, 222.38.4.249, 222.27.16.158, 222.27.16.161
+ Deny all access to URI upayme.example.com/*.asmx from all other IP sources
+ Allow all access to URI upayme.example.com/ (and all remaining subdirectories) from all IP sources
Here is my iRule that does not seem to work
class UserDataGroup {
{
host 222.17.26.151
host 222.17.26.152
host 222.28.4.248
host 222.17.16.165
host 222.17.16.169
}
}
class UserData_Group {
{
host 222.17.26.148
host 222.28.4.249
host 222.17.16.158
host 222.17.16.161
}
}
when CLIENT_ACCEPTED {
set debug "1"
if {$debug} {log local0. "Client IP address is: [IP::remote_addr]"}
Check if client IP is not in the UserDataGroup
if { [matchclass [IP::remote_addr] equals $::UserDataGroup] }{
log local0. "Client is in UserDataGroup1"
Prevent the HTTP_REQUEST event from firing if user is from local network
event HTTP_REQUEST disable
}
else {log local0. "Client is in NOT UserDataGroup"}
}
when HTTP_REQUEST {
switch -glob [HTTP::uri] {
"/*.asmx" -
"/nfm" -
{
Reject login info from non local sites
HTTP::respond 403 content "Logins only allowed from trusted networks.\r\n"
}
}
}
when CLIENT_ACCEPTED {
set debug "1"
if {$debug} {log local0. "Client IP address is: [IP::remote_addr]"}
Check if client IP is not in the UserData_Group
if { [matchclass [IP::remote_addr] equals $::UserData_Group] }{
log local0. "Client is in UserData_Group1"
Prevent the HTTP_REQUEST event from firing if user is from local network
event HTTP_REQUEST disable
}
else {log local0. "Client is in NOT UserData_Group"}
}
when HTTP_REQUEST {
switch -glob [HTTP::uri] {
"/nfm" -
"/*.asmx -
{
Reject login info from non local sites
HTTP::respond 403 content "Logins only allowed from trusted networks.\r\n"
}
}
}