Forum Discussion

mister_paul_717's avatar
Icon for Nimbostratus rankNimbostratus
Feb 09, 2011

Interesting puzzle...

Well, at least I'm finding it interesting...



We have a test web site that we've exposed to the internet, so that we can test it in conjunction with an external vendor that provides an Akamai-like proxy. We currently only allow specific IP's to reach the site, but would like to open it up so we aren't restricting by IP. (Restricting by IP has all sorts of issues.) But, we don't want just anybody to be able to reach the site.



One obvious option is to configure the web server to throw up a login window. However, this would require a lot of work for the hundreds of automated tests that run against the site.



Is there anything I can do with our F5 (LTM + ASM) to address this? For instance, could I set it so that defined IP's didn't require a login, but unknown IP's did?



Your thoughts appreciated!



- P


2 Replies

  • Hi Paul,



    By default, ASM cannot do anything for access control based on client IP address/subnet. You could use an iRule to perform basic HTTP auth. Or you could use the Access Policy Module (APM) to do this.



    Here's an elegant example from George Watkins for doing basic auth in an iRule:





    You could modify this to apply the auth requirements for anyone not in a given set of IP addresses/subnets as defined in a address type datagroup.