Forum Discussion
VictorC
Nimbostratus
NimbostratusHTTP VS: Only allow specific client IP but open specific /uri for all.
Hi,
Currently I have an iRule on a HTTP VS that discards requests if the client IP is not in the allow class. Now I have to add an extra requirement to allow 'all' if a specific /uri is given. Here's my current iRule (thanks to previous posts found in the forum).
class myallowedclients {
host 111.22.33.1
host 111.22.33.2
}
rule restrict-rule {
when CLIENT_ACCEPTED {
if { [matchclass [IP::client_addr] equals $::myallowedclients] }{
Do nothing...irule will complete and request will be sent to the pool based on virtual server definition
} else {
discard }
}
}
I may have to use this requirement for multiple HTTP VS with the same client allow list, but different pools so it'd be great if I can use one rule for all.
Thanks in advance.
Victor
hooleylistCirrostratus
So you're testing by sending a 403 for blocked responses, you clear your cache, make a request to the / URI, see the logging for a blocked message but see the content for the root document displayed in the browser? That's really odd. I don't see how a request could be made to / and log the 403 response but still allow the request through to the pool.
Can you try adding logging of the SERVER_CONNECTED and HTTP_RESPONSE events:when CLIENT_ACCEPTED { if { [matchclass [IP::client_addr] equals $::myallowedclients] }{ set allowed 1 log local0. "[IP::client_addr]:[TCP::client_port]: Client is in allowed class" } else { Client is not in the allowed class set allowed 0 log local0. "[IP::client_addr]:[TCP::client_port]: Client is not in allowed class" } } when HTTP_REQUEST { Save the URI for logging in HTTP_RESPONSE set uri [HTTP::uri] Check if requested URI is whitelisted switch -glob [HTTP::uri] { "/allowed_starts_with/*" - "*/allowed_contains/*" - "/allowed_exact" { set allowed 1 log local0. "[IP::client_addr]:[TCP::client_port]: URI is allowed per whitelist [HTTP::uri]" } } if { $allowed == 0 }{ Disallowed request Reset connection reject Send HTTP reject message HTTP::respond 403 content {blocked!} log local0. "[IP::client_addr]:[TCP::client_port]: Blocking request to [HTTP::uri]" } } when SERVER_CONNECTED { log local0. "[IP::client_addr]:[TCP::client_port]: connected: [IP::server_addr]:[TCP::server_port]" } when HTTP_RESPONSE { log local0. "[IP::client_addr]:[TCP::client_port]: \$uri=$uri, status=[HTTP::status]" }
Aaron
VictorCHome page blocked
Jun 21 13:51:44 tmm tmm[1085]: Rule restrict-rule2 : 10.10.10.5:54089: Client is not in allowed class
Jun 21 13:51:44 tmm tmm[1085]: Rule restrict-rule2 : 10.10.10.5:54089: Blocking request to /
/myuri is allowed
Jun 21 13:51:50 tmm tmm[1085]: Rule restrict-rule2 : 10.10.10.5:54089: URI is allowed per whitelist /myuri
Jun 21 13:51:50 tmm tmm[1085]: Rule restrict-rule2 : 10.10.10.5:54089: connected: 10.228.152.90:10611
Jun 21 13:51:50 tmm tmm[1085]: Rule restrict-rule2 : 10.10.10.5:54089: $uri=/myuri, status=302
Went back to home page and hit Refresh and it shows some content
Jun 21 13:52:12 tmm tmm[1085]: Rule restrict-rule2 : 10.10.10.5:54089: $uri=/, status=200
Jun 21 13:52:12 tmm tmm[1085]: Rule restrict-rule2 : 10.10.10.5:54089: $uri=/css/fmw.css, status=200
Jun 21 13:52:12 tmm tmm[1085]: Rule restrict-rule2 : 10.10.10.5:54096: Client is not in allowed class
Jun 21 13:52:12 tmm tmm[1085]: Rule restrict-rule2 : 10.10.10.5:54096: Blocking request to /css/fmw_top_frame_welcome_area.css
Jun 21 13:52:12 tmm tmm[1085]: Rule restrict-rule2 : 10.10.10.5:54089: $uri=/JSLibrary/coneEventHandeler.js, status=200
Jun 21 13:52:12 tmm tmm[1085]: Rule restrict-rule2 : 10.10.10.5:54098: Client is not in allowed class
Jun 21 13:52:12 tmm tmm[1085]: Rule restrict-rule2 : 10.10.10.5:54099: Client is not in allowed class
Jun 21 13:52:12 tmm tmm[1085]: Rule restrict-rule2 : 10.10.10.5:54099: Blocking request to /JSLibrary/educational_text.js
Jun 21 13:52:12 tmm tmm[1085]: Rule restrict-rule2 : 10.10.10.5:54098: Blocking request to /JSLibrary/fmw_all.js
Jun 21 13:52:12 tmm tmm[1085]: Rule restrict-rule2 : 10.10.10.5:54097: Client is not in allowed class
Jun 21 13:52:12 tmm tmm[1085]: Rule restrict-rule2 : 10.10.10.5:54100: Client is not in allowed class
Jun 21 13:52:12 tmm tmm[1085]: Rule restrict-rule2 : 10.10.10.5:54097: Blocking request to /css/fmw_bottom_area.css
Jun 21 13:52:12 tmm tmm[1085]: Rule restrict-rule2 : 10.10.10.5:54100: Blocking request to /JSLibrary/DHTMLAPI.js
Jun 21 13:52:12 tmm tmm[1085]: Rule restrict-rule2 : 10.10.10.5:54096: Blocking request to /JSLibrary/GeneratePopup.js
Jun 21 13:52:12 tmm tmm[1085]: Rule restrict-rule2 : 10.10.10.5:54097: Blocking request to /welcome_images/oracle_logo_red.png
Jun 21 13:52:12 tmm tmm[1085]: Rule restrict-rule2 : 10.10.10.5:54089: $uri=/JSLibrary/getIllustration.js, status=200
Jun 21 13:52:12 tmm tmm[1085]: Rule restrict-rule2 : 10.10.10.5:54098: Blocking request to /JSLibrary/educational_text.js
Jun 21 13:52:12 tmm tmm[1085]: Rule restrict-rule2 : 10.10.10.5:54099: Blocking request to /JSLibrary/DHTMLAPI.js
Jun 21 13:52:12 tmm tmm[1085]: Rule restrict-rule2 : 10.10.10.5:54100: Blocking request to /JSLibrary/GeneratePopup.js
Jun 21 13:52:12 tmm tmm[1085]: Rule restrict-rule2 : 10.10.10.5:54096: Blocking request to /welcome_images/oracle_logo_red.png
Jun 21 13:52:12 tmm tmm[1085]: Rule restrict-rule2 : 10.10.10.5:54097: Blocking request to /welcome_images/header_back.png
Jun 21 13:52:12 tmm tmm[1085]: Rule restrict-rule2 : 10.10.10.5:54098: Blocking request to /welcome_images/explore_interactive_overview.png
Jun 21 13:52:12 tmm tmm[1085]: Rule restrict-rule2 : 10.10.10.5:54099: Blocking request to /welcome_images/FingerTab.png
Jun 21 13:52:12 tmm tmm[1085]: Rule restrict-rule2 : 10.10.10.5:54089: $uri=/welcome_images/background_top.png, status=200- You're not setting $allowed back to 0 anywhere outside of the CLIENT_ACCEPTED event. If someone goes to an authorized URI and gets it set to allowed, everything else will be allowed from then on. You'll need to add a bit to your code by setting a default case in your switch statement that sets allowed to 0 unless the IP is allowed.
Colin - hooleylistI didn't think you'd need it in this scenario, but can you add a OneConnect profile to the virtual server and retest? If you're using SNAT on the serverside connections, you can use the default OneConnect profile with a 0.0.0.0 mask. Else with no SNAT create a custom OneConnect profile with a 255.255.255.255 source mask.
Aaron - Or frankly use a different variable name. uri_allowed vs ip_allowed. Make ip_allowed override uri_allowed, but if ip_allowed != 1 or doesn't exist, etc. then uri_allowed must == 1.
Colin - hooleylistDoh... thanks for catching that Colin. I was going a bit nuts.
How about this then:when CLIENT_ACCEPTED { if { [matchclass [IP::client_addr] equals $::myallowedclients] }{ set allowed_ip 1 log local0. "[IP::client_addr]:[TCP::client_port]: Client is in allowed class" } else { Client is not in the allowed class set allowed_ip 0 log local0. "[IP::client_addr]:[TCP::client_port]: Client is not in allowed class" } } when HTTP_REQUEST { Skip the URI checking if the client IP is allowed if {$allowed_ip}{ Exit this event in this rule return } Check if requested URI is whitelisted switch -glob [HTTP::uri] { "/allowed_starts_with/*" - "*/allowed_contains/*" - "/allowed_exact" { log local0. "[IP::client_addr]:[TCP::client_port]: URI is allowed per whitelist [HTTP::uri]" } default { Send HTTP reject message HTTP::respond 403 content {blocked!} log local0. "[IP::client_addr]:[TCP::client_port]: Blocking request to [HTTP::uri]" } } }
Aaron - Looks good to me. Though due to personal preference I'd use
if{!($allowed_ip)}
Rather than having an empty if case with a return in it, but the functionality is the same.
Colin - Oh, and you'll want to remove the
set allowed_ip 0
Because you're only checking for the existence of $allowed_ip later, not it's value, this might foul you up. Regardless, there's no need for it.
Colin - hooleylistActually, it still doesn't make sense that the iRule would log that it was blocking but allow the request through. I can see how $allowed would be 1 after making a request to an allowed URI and then a blocked one, but it shouldn't have logged the 'blocking request' message. Odd.
Aaron - Fair point, the
Jun 21 13:52:12 tmm tmm[1085]: Rule restrict-rule2 : 10.10.10.5:54100: Blocking request to /JSLibrary/DHTMLAPI.js
Jun 21 13:52:12 tmm tmm[1085]: Rule restrict-rule2 : 10.10.10.5:54096: Blocking request to /JSLibrary/GeneratePopup.js
Jun 21 13:52:12 tmm tmm[1085]: Rule restrict-rule2 : 10.10.10.5:54097: Blocking request to /welcome_images/oracle_logo_red.png
messages shouldn't be possible if $allowed == 1. Curious indeed.
Colin
