Forum Discussion
VictorC
Nimbostratus
NimbostratusHTTP VS: Only allow specific client IP but open specific /uri for all.
Hi,
Currently I have an iRule on a HTTP VS that discards requests if the client IP is not in the allow class. Now I have to add an extra requirement to allow 'all' if a specific /uri is giv...
hooleylist
Cirrostratus
CirrostratusHi Victor,
Since you're not specifying a different pool in the iRule, it will default to using the virtual server's pool if the request is allowed through. You can use logic like this to allow all requests from a specific set of client IPs or to an allowed URI:
when CLIENT_ACCEPTED {
if { not [matchclass [IP::client_addr] equals $::myallowedclients] }{
Client is not in the allowed class
set allowed 0
} else {
set allowed 1
}
}
when HTTP_REQUEST {
if {$allowed or [HTTP::uri] starts_with "/my_global_allowed_uri"}{
Allow request to go to pool
} else {
Disallowed request
Reset connection
reject
Send HTTP reject message
HTTP::respond 403 content {blocked!}
}
}
Or for a set of whitelisted URIs:
when CLIENT_ACCEPTED {
if { not [matchclass [IP::client_addr] equals $::myallowedclients] }{
Client is not in the allowed class
set allowed 0
} else {
set allowed 1
}
}
when HTTP_REQUEST {
Check if requested URI is whitelisted
switch -glob [HTTP::uri] {
"/allowed_starts_with/*" -
"*/allowed_contains/*" -
"/allowed_exact" {
set allowed 1
}
}
if { $allowed == 0 }{
Disallowed request
Reset connection
reject
Send HTTP reject message
HTTP::respond 403 content {blocked!}
}
}
Also, if you're on 9.4.4 or higher, you should remove the $:: prefix from the datagroup references in the iRule:
http://devcentral.f5.com/wiki/default.aspx/iRules/CMPCompatibility.html
And if you're running IIS, there are simple ways to bypass this logic:
http://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/50/aft/30900/showtab/groupforums/Default.aspx31324
Aaron