Forum Discussion

mister_paul_717's avatar
mister_paul_717
Icon for Nimbostratus rankNimbostratus
Feb 09, 2011

Interesting puzzle...

Well, at least I'm finding it interesting...

 

 

We have a test web site that we've exposed to the internet, so that we can test it in conjunction with an external vendor that provides an Akamai-like proxy. We currently only allow specific IP's to reach the site, but would like to open it up so we aren't restricting by IP. (Restricting by IP has all sorts of issues.) But, we don't want just anybody to be able to reach the site.

 

 

One obvious option is to configure the web server to throw up a login window. However, this would require a lot of work for the hundreds of automated tests that run against the site.

 

 

Is there anything I can do with our F5 (LTM + ASM) to address this? For instance, could I set it so that defined IP's didn't require a login, but unknown IP's did?

 

 

Your thoughts appreciated!

 

 

- P

 

app sec
BIG-IP Access Policy Manager (APM)
security

2 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Feb 10, 2011
    Hi Paul,

     

     

    By default, ASM cannot do anything for access control based on client IP address/subnet. You could use an iRule to perform basic HTTP auth. Or you could use the Access Policy Module (APM) to do this.

     

     

    Here's an elegant example from George Watkins for doing basic auth in an iRule:

     

     

    http://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/1086387/categoryId/16/HTTP-Basic-Access-Authentication-iRule-Style.aspx

     

     

    You could modify this to apply the auth requirements for anyone not in a given set of IP addresses/subnets as defined in a address type datagroup.

     

     

    Aaron