Forum Discussion
VictorC
Nimbostratus
NimbostratusHTTP VS: Only allow specific client IP but open specific /uri for all.
Hi,
Currently I have an iRule on a HTTP VS that discards requests if the client IP is not in the allow class. Now I have to add an extra requirement to allow 'all' if a specific /uri is given. Here's my current iRule (thanks to previous posts found in the forum).
class myallowedclients {
host 111.22.33.1
host 111.22.33.2
}
rule restrict-rule {
when CLIENT_ACCEPTED {
if { [matchclass [IP::client_addr] equals $::myallowedclients] }{
Do nothing...irule will complete and request will be sent to the pool based on virtual server definition
} else {
discard }
}
}
I may have to use this requirement for multiple HTTP VS with the same client allow list, but different pools so it'd be great if I can use one rule for all.
Thanks in advance.
Victor
25 Replies
- It sounds like what you're looking for is pretty simple, something like this:
when CLIENT_ACCEPTED { if { ! (([matchclass [IP::client_addr] equals $::myallowedclients]) || ([string tolower [HTTP::uri]] eq "/letmein"))}{ discard } }
I dumped the empty if case and added the ! to make it a little more straight-forward, but basically I just added an or case along with your current class match.
Colin 
hoolioCirrostratus
Hi Victor,
Since you're not specifying a different pool in the iRule, it will default to using the virtual server's pool if the request is allowed through. You can use logic like this to allow all requests from a specific set of client IPs or to an allowed URI:when CLIENT_ACCEPTED { if { not [matchclass [IP::client_addr] equals $::myallowedclients] }{ Client is not in the allowed class set allowed 0 } else { set allowed 1 } } when HTTP_REQUEST { if {$allowed or [HTTP::uri] starts_with "/my_global_allowed_uri"}{ Allow request to go to pool } else { Disallowed request Reset connection reject Send HTTP reject message HTTP::respond 403 content {blocked!} } }
Or for a set of whitelisted URIs:when CLIENT_ACCEPTED { if { not [matchclass [IP::client_addr] equals $::myallowedclients] }{ Client is not in the allowed class set allowed 0 } else { set allowed 1 } } when HTTP_REQUEST { Check if requested URI is whitelisted switch -glob [HTTP::uri] { "/allowed_starts_with/*" - "*/allowed_contains/*" - "/allowed_exact" { set allowed 1 } } if { $allowed == 0 }{ Disallowed request Reset connection reject Send HTTP reject message HTTP::respond 403 content {blocked!} } }
Also, if you're on 9.4.4 or higher, you should remove the $:: prefix from the datagroup references in the iRule:
http://devcentral.f5.com/wiki/default.aspx/iRules/CMPCompatibility.html
And if you're running IIS, there are simple ways to bypass this logic:
http://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/50/aft/30900/showtab/groupforums/Default.aspx31324
Aaron
VictorCWow you guys are quick! Thanks for the replies. I will test them out with the requester. Thanks again!- Sure thing, let us know how it goes. ;)
Colin - VictorCColin,
I get the following error:
line 2: [command is not valid in current event context (CLIENT_ACCEPTED)] [HTTP::uri]
Hoolio,
I tried your 2nd sample with the glob because it looks like we'll have more /uri to allow in the future. However there is something interesting. The iRule works when I hit the home page (it gets blocked and confirmed when I turned on logging). When I go to /myuri it is working as well. However, when I hit the Back button on the browser to the original home page, it lets me in even though the log says I'm blocked. Some kind of loophole, eh? I even cleared my cache and cookies just to be sure.
Thanks - Woops, I didn't even pay attention to what event you were working in. You'd need to move the iRule (or at least the HTTP portion) into the HTTP_REQUEST event.
If you want help with that I'm more than happy to whip it up for you. just let me know.
Colin - hoolioCan you clear your browser cache and retest? If the issue still recurs, can you add debug logging and check /var/log/ltm for the output?
when CLIENT_ACCEPTED { if { [matchclass [IP::client_addr] equals $::myallowedclients] }{ set allowed 1 log local0. "[IP::client_addr]:[TCP::client_port]: Client is in allowed class" } else { Client is not in the allowed class set allowed 0 log local0. "[IP::client_addr]:[TCP::client_port]: Client is not in allowed class" } } when HTTP_REQUEST { Check if requested URI is whitelisted switch -glob [HTTP::uri] { "/allowed_starts_with/*" - "*/allowed_contains/*" - "/allowed_exact" { set allowed 1 log local0. "[IP::client_addr]:[TCP::client_port]: URI is allowed per whitelist" } } if { $allowed == 0 }{ Disallowed request Reset connection reject Send HTTP reject message HTTP::respond 403 content {blocked!} log local0. "[IP::client_addr]:[TCP::client_port]: Blocking request" } }
Aaron - VictorCOk, I've cleared my cookies and cache. Here are the steps I took, followed by what I see in the log. (I'm using the HTTP::respond 403 content)
Went to the home page and see the blocked! message:
Jun 21 11:36:37 tmm tmm[1085]: Rule restrict-rule : 10.10.10.5:53478: Blocking request
Added /myuri in the URL bar without closing browser:
Jun 21 11:36:52 tmm tmm[1085]: Rule restrict-rule : 10.10.10.5:53477: URI is allowed per whitelist
Hit the Back button on the browser to bring me back to the home page, nothing is logged (and I see the blocked! message from webpage; seems like from cache)
Hit Refresh on the browser a few times and I can see contents on the home page, which I shouldn't.
Jun 21 11:37:03 tmm tmm[1085]: Rule restrict-rule : 10.10.10.5:53478: Blocking request
Jun 21 11:37:07 tmm tmm[1085]: Rule restrict-rule : 10.10.10.5:53478: Blocking request
Jun 21 11:37:07 tmm tmm[1085]: Rule restrict-rule : 10.10.10.5:53488: Client is not in allowed class
Jun 21 11:37:07 tmm tmm[1085]: Rule restrict-rule : 10.10.10.5:53489: Client is not in allowed class
Jun 21 11:37:07 tmm tmm[1085]: Rule restrict-rule : 10.10.10.5:53478: Blocking request
Jun 21 11:37:07 tmm tmm[1085]: Rule restrict-rule : 10.10.10.5:53488: Blocking request
Jun 21 11:37:07 tmm tmm[1085]: Rule restrict-rule : 10.10.10.5:53490: Client is not in allowed class
Jun 21 11:37:07 tmm tmm[1085]: Rule restrict-rule : 10.10.10.5:53491: Client is not in allowed class
Jun 21 11:37:07 tmm tmm[1085]: Rule restrict-rule : 10.10.10.5:53489: Blocking request
Jun 21 11:37:07 tmm tmm[1085]: Rule restrict-rule : 10.10.10.5:53490: Blocking request
Jun 21 11:37:07 tmm tmm[1085]: Rule restrict-rule : 10.10.10.5:53491: Blocking request
Jun 21 11:37:08 tmm tmm[1085]: Rule restrict-rule : 10.10.10.5:53478: Blocking request
Jun 21 11:37:08 tmm tmm[1085]: Rule restrict-rule : 10.10.10.5:53488: Blocking request
Jun 21 11:37:08 tmm tmm[1085]: Rule restrict-rule : 10.10.10.5:53489: Blocking request
Jun 21 11:37:08 tmm tmm[1085]: Rule restrict-rule : 10.10.10.5:53490: Blocking request
Jun 21 11:37:08 tmm tmm[1085]: Rule restrict-rule : 10.10.10.5:53491: Blocking request
Jun 21 11:37:12 tmm tmm[1085]: Rule restrict-rule : 10.10.10.5:53478: Blocking request
Jun 21 11:37:12 tmm tmm[1085]: Rule restrict-rule : 10.10.10.5:53488: Blocking request
Jun 21 11:37:12 tmm tmm[1085]: Rule restrict-rule : 10.10.10.5:53489: Blocking request
Jun 21 11:37:12 tmm tmm[1085]: Rule restrict-rule : 10.10.10.5:53490: Blocking request
Jun 21 11:37:12 tmm tmm[1085]: Rule restrict-rule : 10.10.10.5:53491: Blocking request
Jun 21 11:37:12 tmm tmm[1085]: Rule restrict-rule : 10.10.10.5:53478: Blocking request
Jun 21 11:37:12 tmm tmm[1085]: Rule restrict-rule : 10.10.10.5:53488: Blocking request
Waited a minute, hit Refresh again, and this time I'm blocked.
Jun 21 11:38:04 tmm tmm[1085]: Rule restrict-rule : 10.10.10.5:53489: Blocking request
Jun 21 11:38:04 tmm tmm[1085]: Rule restrict-rule : 10.10.10.5:53490: Blocking request
Jun 21 11:38:04 tmm tmm[1085]: Rule restrict-rule : 10.10.10.5:53491: Blocking request
Jun 21 11:38:04 tmm tmm[1085]: Rule restrict-rule : 10.10.10.5:53478: Blocking request
Jun 21 11:38:04 tmm tmm[1085]: Rule restrict-rule : 10.10.10.5:53488: Blocking request
Jun 21 11:38:04 tmm tmm[1085]: Rule restrict-rule : 10.10.10.5:53489: Blocking request
Jun 21 11:38:04 tmm tmm[1085]: Rule restrict-rule : 10.10.10.5:53490: Blocking request
Jun 21 11:38:04 tmm tmm[1085]: Rule restrict-rule : 10.10.10.5:53491: Blocking request
Jun 21 11:38:04 tmm tmm[1085]: Rule restrict-rule : 10.10.10.5:53478: Blocking request
Strange right? - hoolioSorry, I should have included the URI in the logs. Can you try this?
when CLIENT_ACCEPTED { if { [matchclass [IP::client_addr] equals $::myallowedclients] }{ set allowed 1 log local0. "[IP::client_addr]:[TCP::client_port]: Client is in allowed class" } else { Client is not in the allowed class set allowed 0 log local0. "[IP::client_addr]:[TCP::client_port]: Client is not in allowed class" } } when HTTP_REQUEST { Check if requested URI is whitelisted switch -glob [HTTP::uri] { "/allowed_starts_with/*" - "*/allowed_contains/*" - "/allowed_exact" { set allowed 1 log local0. "[IP::client_addr]:[TCP::client_port]: URI is allowed per whitelist [HTTP::uri]" } } if { $allowed == 0 }{ Disallowed request Reset connection reject Send HTTP reject message HTTP::respond 403 content {blocked!} log local0. "[IP::client_addr]:[TCP::client_port]: Blocking request to [HTTP::uri]" } }
Aaron - VictorCHome page (shows blocked!)
Jun 21 12:03:56 tmm tmm[1085]: Rule restrict-rule : 10.10.10.5:53563: Client is not in allowed class
Jun 21 12:03:56 tmm tmm[1085]: Rule restrict-rule : 10.10.10.5:53563: Blocking request to /
Accessed /myuri (no block)
Jun 21 12:04:08 tmm tmm[1085]: Rule restrict-rule : 10.10.10.5:53563: URI is allowed per whitelist /myuri
Hit Back button, seeing cached block! page (but no log entries)
Hit Refresh and seeing content (although the page is not completely rendered)
Jun 21 12:04:30 tmm tmm[1085]: Rule restrict-rule : 10.10.10.5:53571: Client is not in allowed class
Jun 21 12:04:30 tmm tmm[1085]: Rule restrict-rule : 10.10.10.5:53571: Blocking request to /css/fmw_top_frame_welcome_area.css
Jun 21 12:04:30 tmm tmm[1085]: Rule restrict-rule : 10.10.10.5:53573: Client is not in allowed class
Jun 21 12:04:30 tmm tmm[1085]: Rule restrict-rule : 10.10.10.5:53572: Client is not in allowed class
Jun 21 12:04:30 tmm tmm[1085]: Rule restrict-rule : 10.10.10.5:53574: Client is not in allowed class
Jun 21 12:04:30 tmm tmm[1085]: Rule restrict-rule : 10.10.10.5:53575: Client is not in allowed class
Jun 21 12:04:30 tmm tmm[1085]: Rule restrict-rule : 10.10.10.5:53573: Blocking request to /JSLibrary/fmw_all.js
Jun 21 12:04:30 tmm tmm[1085]: Rule restrict-rule : 10.10.10.5:53572: Blocking request to /css/fmw_bottom_area.css
Jun 21 12:04:30 tmm tmm[1085]: Rule restrict-rule : 10.10.10.5:53574: Blocking request to /JSLibrary/educational_text.js
Jun 21 12:04:30 tmm tmm[1085]: Rule restrict-rule : 10.10.10.5:53575: Blocking request to /JSLibrary/DHTMLAPI.js
Jun 21 12:04:30 tmm tmm[1085]: Rule restrict-rule : 10.10.10.5:53573: Blocking request to /welcome_images/oracle_logo_red.png
Jun 21 12:04:30 tmm tmm[1085]: Rule restrict-rule : 10.10.10.5:53571: Blocking request to /JSLibrary/getIllustration.js
Jun 21 12:04:30 tmm tmm[1085]: Rule restrict-rule : 10.10.10.5:53572: Blocking request to /JSLibrary/getIllustration.js
Jun 21 12:04:30 tmm tmm[1085]: Rule restrict-rule : 10.10.10.5:53574: Blocking request to /welcome_images/oracle_logo_red.png
Jun 21 12:04:30 tmm tmm[1085]: Rule restrict-rule : 10.10.10.5:53575: Blocking request to /welcome_images/header_back.png
Jun 21 12:04:30 tmm tmm[1085]: Rule restrict-rule : 10.10.10.5:53573: Blocking request to /welcome_images/background_top.png
Jun 21 12:04:30 tmm tmm[1085]: Rule restrict-rule : 10.10.10.5:53571: Blocking request to /welcome_images/explore_interactive_overview.png
Hit Refresh again (shows blocked!)
Jun 21 12:09:13 tmm tmm[1085]: Rule restrict-rule : 10.10.10.5:53578: Client is not in allowed class
Jun 21 12:09:13 tmm tmm[1085]: Rule restrict-rule : 10.10.10.5:53578: Blocking request to /
It seems I can reproduce this only when I get into /myuri and then hit the Back button and Refresh.
Thanks
