Forum Discussion
NimbostratusHow do I only allow access to certain folders from a few IPs but not others
I can create an data group for the approved IP list but how do I take that list and use it to allow access to folders. for example:
IP 1.2.3.4 can access
mysite.com/folder1 mysite.com/folder2 mysite.com/folder3
but not IP 2.3.4.5
3 Replies
Assume data group is called allowed_ips, something like this should work:
when HTTP_REQUEST { switch -glob [HTTP::uri] { "/folder1*" - "/folder2*" - "/folder3*" { if { not [class match [IP::client_addr] equals allowed_ips] } { reject } } } }- JRahm
Admin
Create an IP data group
ltm data-group internal myiplist { records { 1.2.3.4/32 { data "/folder1 /folder2 /folder3" } 2.3.4.5/32 { data /folder4 } 3.4.5.6/32 { data "/folder 1 /folder4" } } type ip }Then you can have an iRule like:
when HTTP_REQUEST { if { [lsearch [class lookup [IP::client_addr] myiplist] [string tolower [HTTP::path]]] == -1 } { discard } }might have some syntax wrong there, not currently near a box to test. But basically, you're searching the value of the IP key from the class for the allowed folder, and if it isn't present, discarding the request. You could redirect instead.
Kevin_NailThanks everyone!
I got it working by creating 2 data groups and an iRule (borrowed from some others)
when HTTP_REQUEST { if {([class match [string tolower [HTTP::path]] starts_with allowed_uriList]) and not ([class match [IP::client_addr] equals ips_allow])}{
log local0. "Untrusted IP ([IP::client_addr]) attempting to access secure path ([HTTP::uri])"discard } else {
log local0. "Allowing connection from [IP::client_addr] to [HTTP::uri]"} }
