How to filter client access based on source IP and URI

Kai_Wilke

MVP

Sep 06, 2016

Hi Richard,

you may try one of the following examples...

Example 1: Using a single datagroup to assign allowed IPs to restricted URIs

Datagroup (DG_MY_URI Type STRING):

"/folder1" := "1.1.1.1 2.2.2.2 3.3.3.3 4.4.4.4"
"/folder2" := "1.1.1.1 2.2.2.2"
"/folder3" := "3.3.3.3 4.4.4.4"
"/folder4" := "5.5.5.5"

iRule:

when HTTP_REQUEST {
    if { [set uri_result [class match -value [string tolower [HTTP::path]] starts_with DG_MY_URI]] ne "" } then {
        if { [lsearch -inline $uri_result [IP::client_addr]] eq "" } then {
            HTTP::respond 403 content "Access denied..." "Content-Type" "text/html"
        } else {
             Allow trusted IP 
        }
    } else {
         Allow requests to unknown URIs
    }
}

Example 2: Using two datagroups to support a "kind of" object based ACL.

Datagroup (DG_MY_URI Type STRING):

"/folder1" := "Internal Customer1 Customer2 Customer3"
"/folder2" := "Internal Customer2 Customer3"
"/folder3" := "Internal Customer3"
"/folder4" := "Location1 Location2"

IP Datagroup (DG_MY_IP Type IP-Adrress):

"10.0.0.0/8" := "Internal"
"10.10.10.0/24" := "Internal Location1"
"10.10.11.0/24" := "Internal Location1"
"10.10.12.0/24" := "Internal Location1"
"10.10.13.0/24" := "Internal Location1"
"10.10.14.0/24" := "Internal Location2"
"10.10.15.0/24" := "Internal Location2"
"10.10.16.0/24" := "Internal Location2"
"10.10.17.0/24" := "Internal Location2"
"111.111.111.111" := "Customer1"
"172.16.0.0/12" := "Internal"
"190.190.190.190" := "Customer2"
"192.168.0.0/16" := "Internal"
"212.212.212.212" := "Customer3"

iRule:

when CLIENT_ACCEPTED {
    set ip_result [class match -value [IP::client_addr] equals DG_MY_IP]    
}
when HTTP_REQUEST {
    if { [set uri_result [class match -value [string tolower [HTTP::path]] starts_with DG_MY_URI]] ne "" } then {
        if { $ip_result eq "" } then {
             Disallow the request
        } else {
            foreach uri_entry $uri_result {
                if { [lsearch -inline $ip_result $uri_entry] ne "" } then {
                     Allow trusted IP
                    return
                }
            }
             Disallow the request
        }
    } else {
         Allow requests to unknown URIs
        return
    }
     Trigger the error page...
    HTTP::respond 403 content "Access denied..." "Content-Type" "text/html"
}

Cheers, Kai

Forum Discussion

How to filter client access based on source IP and URI

F5 Academy at AppWorld 2026

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

How can I get started with iCall

Connection Rest f5

Kubernetes cert-manager + LetsEncrypt + F5

The GSLB pool is providing an incorrect IP to end users

Unable to ping from some self ip on Velos

Related Content

What are F5 Access and BIG-IP Edge Clients?

VPN Access with MFA using Edge Client 7.2.1 and APM 16.0

Filtering traffic based on client ip address and URL

Configuring Endpoint Security (Client-Side) Using F5 Access Policy Manager (APM)

Zero Trust Application Access for Federal Agencies

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS