How permit part of the url access?

Hi PK,

I suppose you can write it up in the following manner

 
 when HTTP_REQUEST { 
   if {!([matchclass [IP::client_address] eq $::datagroup]) and ([HTTP::uri] eq "/Part_one")  } { 
      HTTP::redirect "http://[HTTP::host]/[HTTP::uri]/Part_all 
   } 
 } 
 

I hope this helps

Bhattman

Hi Bhattman,

 

here is the original iRule

 

when HTTP_REQUEST {

 

if { ([string tolower [HTTP::uri]] starts_with "/claytonkb/") or ([string tolower [HTTP::uri]] equals "/claytonkb") } {

 

if { not ([matchclass [IP::client_addr] equals $::Clayton_allowed_IPs]) } {

 

log local0. "Caught [HTTP::uri] from [IP::client_addr]"

 

HTTP::redirect "http://static.bla.com/403.htm"

 

}

 

}

 

}

 

 

now in the same url, they added /assests and that is permitted for everybody. would this work?

 

 

when HTTP_REQUEST {

 

 

if { ([string tolower [HTTP::uri]] starts_with "/claytonkb/") or ([string tolower [HTTP::uri]] equals "/claytonkb") } {

 

 

if { not ([matchclass [IP::client_addr] equals $::Clayton_allowed_IPs]) } {

 

 

log local0. "Caught [HTTP::uri] from [IP::client_addr]"

 

 

HTTP::redirect "http://static.bla.com/403.htm"

 

 

elseif { ([string tolower [HTTP::uri] starts_with "/assets/") or ([string tolower [HTTP::uri] eq "/assets") } {

 

 

pool acr.bla.com_http

 

 

}

 

}

 

 

}

 

}

 

 

 

Appreciate your help.

 

PK.

Hi PK,

There is some syntax errors and you don't need to use 'starts_with "/assets" ' and another comparison with 'eq "/assets" '. The same goes for the "claytonkb" comparisons.

when HTTP_REQEST {
set uri_path [string tolower [HTTP::uri]]
if {not ([matchclass [IP::client_addr] equals $::Calyton_allowed_IPs]) and ($uri_path starts_with "/claytonkb/") }
    log local0. "Caught [HTTP::uri] from [IP::client_addr]" 
HTTP::redirect "http://static.bla.com/403.htm"
return
} elseif { ($uri_path starts_with "/assets") } {
pool acr.blah.com_http
}
}

As you can see you don't need 2 comparisons with the same path, because in your example you have already used "starts_with" which covers the different permutations of "assets" and "claytonkb"

or another way to write this up usin the SWITCH command.

when HTTP_REQUEST {
switch -glob [string tolower[HTTP::uri]] {
"/claytonkb*" - 
"/assets*" {
if {not [matchclass [IP::client_addr] equals $::Calyton_allowed_IPs] }{
log local0. "Caught [HTTP::uri] from [IP::client_addr]" 
HTTP::redirect "http://static.bla.com/403.htm"
return
   }
pool acr.blah.com_http
   }
}
}

The switch commands is suppose to be lower overhead, but I don't think in your case you will see remarkable improvement, but it does scale better.

Hi Bhattman,

 

Not sure why, but it did not work, even the http://acr.bla.com even did not work.

 

so the url is https://acr.bla.com/Claytonkb --> should be accessed by only those in the datagroup "Clayton_allowed_IPs" - works fine with current iRule in place.

 

now the same url with https://acr.bla.com/Claytonkb/Assets/Finance/permit.pdf --> url should be accessed by everybody without any restrictions. That's all i am trying to achieve.

 

 

 

I truly appreciate your help man, Thanks again.

 

PK.

 

And I would appreciate if you put a comment on the code, I am new to the iRule and would greatly help. Thanks/ PK.

HTTP::redirect "http://static.bla.com/403.htm" target="_blank" rel="nofollow">http://static.bla.com/403.htm"

This won't work as you're probably expecting, as it's HTML you're trying to send back to the client. If you send a 302 redirect with a Location header of http://static.bla.com/403.htm, the client will make a new GET request to that URL using the same window. If you want to send back a page with HTML including a link to the page, you could use HTTP::respond (Click Here) instead.

If you configure a default pool on the VIP, you could use a simplified version of CB's switch based iRule to check the requested URI and client IP for requested paths of exactly /Claytonkb:

when HTTP_REQUEST {

    Check the requested path set to lowercase
   switch [string tolower [HTTP::path]] {
      "/claytonkb" {
          Requested path was exactly /claytonkb, so check if the client IP is not in the datagroup
         if {not [matchclass [IP::client_addr] equals $::Calyton_allowed_IPs] }{
            log local0. "[IP::client_addr]:[TCP::client_port]: Redirecting request from [HTTP::uri]"
            HTTP::redirect "http://static.bla.com/403.htm"
         }
      }
   }
}

If you have other paths you want to check for, you could add them to the switch statement.

Aaron

OK, So i simplified the iRule like this

when HTTP_REQUEST {
if { ([string tolower [HTTP::uri]] starts_with "/claytonkb/") or ([string tolower [HTTP::uri]] equals "/claytonkb") } {
if { not ([matchclass [IP::client_addr] equals $::CityOfClayton_allowed_IPs]) } {
log local0. "Caught [HTTP::uri] from [IP::client_addr]"
HTTP::redirect "http://static.bla.com/403.htm"
}
}
}

and this works like it suppose to be.
now can i add elseif or any other construct statement to get the http://acr.bla.com/claytonkb/Assets/Finance/permit.pdf  to the same iRule and get everybody else be able to access it? 
 I don't mind adding another iRule either, this is not heavy traffic anyways. 
  
  
  

Thanks,

PK.

Hi PK,

It's going to be more efficient to use a switch statement to check the URI set to lower case, as you only perform the 'string tolower' operation once. If you modify the last switch based iRule I posted to check /claytonkb and /claytonkb/, it should meet your requirements. By default all other URIs would be sent to the VIP's default pool without a check of the client IP address.

when HTTP_REQUEST {

    Check the requested path set to lowercase
   switch [string tolower [HTTP::path]] {
      "/claytonkb" -
      "/claytonkb/" {
          Requested path was exactly /claytonkb or /claytonkb/, so check if the client IP is not in the datagroup
         if {not [matchclass [IP::client_addr] equals $::Calyton_allowed_IPs] }{
            log local0. "[IP::client_addr]:[TCP::client_port]: Redirecting request from [HTTP::uri]"
            HTTP::redirect "http://static.bla.com/403.htm"
         }
      }
   }
}

Aaron

Hoolio,

 

Thanks for looking, this is fine. Now i want to added /claytonkb/assets in the uri and if the request has /assets in the uri, that needs to allowed to everybody, how would I do that?

 

 

Thanks,

 

PK.

 

I assume you want to check the client IP for requests to /claytonkb/assets? If so, you can use this:

when HTTP_REQUEST {

    Check the requested path set to lowercase
   switch [string tolower [HTTP::path]] {
      "/claytonkb/assets" -
      "/claytonkb" -
      "/claytonkb/" {
          Requested path was exactly /claytonkb or /claytonkb/, so check if the client IP is not in the datagroup
         if {not [matchclass [IP::client_addr] equals $::Calyton_allowed_IPs] }{
            log local0. "[IP::client_addr]:[TCP::client_port]: Redirecting request from [HTTP::uri]"
            HTTP::redirect "http://static.bla.com/403.htm"
         }
      }
   }
}

Aaron