Forum Discussion

VictorC's avatar
VictorC
Icon for Nimbostratus rankNimbostratus
Jun 21, 2011

HTTP VS: Only allow specific client IP but open specific /uri for all.

Hi,

 

 

Currently I have an iRule on a HTTP VS that discards requests if the client IP is not in the allow class. Now I have to add an extra requirement to allow 'all' if a specific /uri is given. Here's my current iRule (thanks to previous posts found in the forum).

 

 

 

class myallowedclients {

 

host 111.22.33.1

 

host 111.22.33.2

 

}

 

 

rule restrict-rule {

 

when CLIENT_ACCEPTED {

 

if { [matchclass [IP::client_addr] equals $::myallowedclients] }{

 

Do nothing...irule will complete and request will be sent to the pool based on virtual server definition

 

 

} else {

 

 

discard }

 

 

}

 

}

 

 

 

I may have to use this requirement for multiple HTTP VS with the same client allow list, but different pools so it'd be great if I can use one rule for all.

 

 

Thanks in advance.

 

Victor

 

application delivery
dev
devops
iRules
  • VictorC's avatar
    VictorC
    Icon for Nimbostratus rankNimbostratus
    Jun 21, 2011
    Thanks guys, it works great now. Appreciate your time.

     

     

    Victor
  • VictorC's avatar
    VictorC
    Icon for Nimbostratus rankNimbostratus
    Jun 22, 2011
    I had to keep the "Set allowed_ip 0" because otherwise I get this error in the log

     

     

     

    Jun 22 07:25:26 tmm tmm[1085]: 01220001:3: TCL error: Rule restrict-rule - can't read "allowed_ip": no such variable while executing "if {$allowed_ip}{ Exit this event in this rule return }"

     

     

     

    All else is working great. Thanks again.

     

  • VictorC's avatar
    VictorC
    Icon for Nimbostratus rankNimbostratus
    Jun 22, 2011
    I had to keep the "Set allowed_ip 0" because otherwise I get this error in the log

     

     

     

    Jun 22 07:25:26 tmm tmm[1085]: 01220001:3: TCL error: Rule restrict-rule - can't read "allowed_ip": no such variable while executing "if {$allowed_ip}{ Exit this event in this rule return }"

     

     

     

    All else is working great. Thanks again.

     

  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Jun 22, 2011
    if you use info exists allowed_ip you can remove the set statement.
  • Colin_Walker_12's avatar
    Colin_Walker_12
    Historic F5 Account
    Jun 22, 2011
    Yeah, it would end up looking like

     

     

     

    when HTTP_REQUEST {

     

    Skip the URI checking if the client IP is allowed

     

    if {[info exists allowed_ip]} {

     

    Exit this event in this rule

     

    return

     

    }

     

    ...

     

     

     

    This performs the same check but uses a function to do so (the info command) rather than just innately evaluating the variable which, if it doesn't exist, will throw an error like the one you're seeing.

     

     

    Colin