For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Chris_Howell_11's avatar
Chris_Howell_11
Icon for Nimbostratus rankNimbostratus
Aug 17, 2006

How DO I exclude an IP Address

I looked through the forum and could not find an example that would work for me.

 

 

Below is my current rule for redirection:

 

 

when HTTP_REQUEST

 

{

 

log local0. "Redirection to HTTPS!"

 

HTTP::redirect "HTTPS://testcase.college.edu/test/"

 

}

 

 

 

I need to exclude a single IP to continue using port 80. But want to insure all other traffic is redirected to use 443

 

 

SO somoehow I want all traffic except for 10.0.0.1 to use https

 

 

Thanks,'

 

 

Chris
application delivery
dev
devops
iRules

17 Replies

  • Colin_Walker_12's avatar
    Colin_Walker_12
    Historic F5 Account
    Aug 17, 2006
    If all you're trying to do is check to be sure that the incoming request isn't from 10.0.0.1, you could use something like:

    
when HTTP_REQUEST {
  if { not ( [IP::client_addr] eq "10.0.0.1" ) } {
    log local0. "Redirection to HTTPS!"
    HTTP::redirect "HTTPS://testcase.college.edu/test/"
  }
}

    Colin
  • Michael_Falkenr's avatar
    Michael_Falkenr
    Historic F5 Account
    Aug 17, 2006
    just a different spin...

     

     

    when HTTP_REQUEST {

     

    if { [IP::addr [IP::client_addr] equals 10.10.10.128] } {

     

    pool www_f5_com

     

    }

     

    else {

     

    log local0. "Redirection to HTTPS!"

     

    HTTP::redirect "http://www.cnn.com/"

     

    }

     

    }
  • Chad_Roberts_21's avatar
    Chad_Roberts_21
    Icon for Nimbostratus rankNimbostratus
    Aug 18, 2006
    One more spin...

    I prefer Colin's approach above for a single address exclusion, but if you ever decide to add further addresses, here would be the logic for comparing the address to a group list. Just create a Data Group List of type Address in the iRules section in GTM for this to work. In the example, I have named the group list "address_exceptions".

    when HTTP_REQUEST {
  if { not [matchclass [IP::client_addr] equals $::address_exceptions] } {
    log local0. "Redirection to HTTPS!"
    HTTP::redirect "HTTPS://testcase.college.edu/test/"
  }
}
  • Chris_Howell_11's avatar
    Chris_Howell_11
    Icon for Nimbostratus rankNimbostratus
    Aug 21, 2006
    THanks you guys are great,

     

     

    How would I create the Data Group? I think now I need multiple address. My Tandem responds from one of 17 available IPs,

     

     

    I appreciate the help. I am trying to learn as fast as possible.

     

     

    Chris
  • Chris_Howell_11's avatar
    Chris_Howell_11
    Icon for Nimbostratus rankNimbostratus
    Aug 21, 2006
    THanks,

     

     

    After I clicked send, I saw it in the top of your original post, SOrry

     

     

    Doing it now.

     

     

    Thanks
  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Aug 21, 2006
    The data group list tab under the iRules screen appears to be missing in the GTM gui in 9.2.3....

     

     

  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Aug 21, 2006
    I was able to load the class via the CLI in the /config/gtm/wideip.conf file, but I haven't tested anything to make sure it is accessible.
  • Chad_Roberts_21's avatar
    Chad_Roberts_21
    Icon for Nimbostratus rankNimbostratus
    Aug 21, 2006
    I'm running BIG-IP 9.2.3 Build 34.3 (one set upgraded from 9.1.something, two sets built from scratch), and it shows up in all of those. Are you running a different build?
  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Aug 21, 2006
    A hotfix I applied has altered my version to BIG-IP Version 9.2.3 107.0, which apparently has fixed some things and broken others....

     

     

    I have seen a stunning amount of bugs and oversights lately....c'mon F5 QC!