Forum Discussion
Shawn_Puckett_8
Nimbostratus
NimbostratusIP blocking and URI Redirect
We need two rules to be validated before a user is sent to a pool, first we need to make sure they are coming from an allowed IP, then we need to see if they want to go to a specific server via the URI.
So the IP check is easy to do with something like this:
when CLIENT_ACCEPTED
{
if {[IP::addr [IP::remote_addr] equals 205.229.151.206/255.255.255.255]} or
{[IP::addr [IP::remote_addr] equals 65.61.115.222/255.255.255.255]}
{pool QATest01-02-Port80}
else
{reject}
}
And the URI redirect to different pools is also easy to do with something like:
when HTTP_REQUEST
{
if {[HTTP::uri] contains "qatest01"}
{pool QATest01-Port80}
if {[HTTP::uri] contains "qatest02"}
{pool QATest02-Port80}
else
{pool QATest01-02-Port80}
}
But I'm not sure how to combine them.
I do have one additional question, there is about 20 IPs that are allowed in so I want to know if there is a better way to do that then what I have, or is that the approach the best?
Thanks,
Shawn
13 Replies
- JRahm
Admin
Try this. Note that your allowed client IP addresses should replace the X.X.X.X in the class. I'd clean the real IP addresses out of your posting if they are valid.class allowed_client_IP { X.X.X.X X.X.X.X } when HTTP_REQUEST { if {[matchclass [IP::client_addr] eq $::allowed_client_IP]} { if { [HTTP::uri] contains "qatest01" } { use pool QATest01-Port80 } elseif { [HTTP::uri] contains "qatest02" } { use pool QATest02-Port80 } else { use pool QATest01-02-Port80 } } else { reject } } 
Shawn_Puckett_8First off, THANKS for the Help!!
But I get this error when I try to save the rule:
line 1: [undefined procedure: class] [class allowed_client_IP
{
205.229.151.206
65.61.115.222
}]
BTW the IPs are for devcentral.f5.com and www.f5.com, I used them because I didn't want to use non-routable IPs like 10.0.0.1 in the post because I didn't want people to think I was talking about local IPs and not inbound Public IPs.
Thanks,
Shawn- The "class" portion is not part of the iRule. Under the iRule section of the GUI, you need to create a data group named "allowed_client_IP" with all your addresses in it. The class portion of the code snippet is how the data is stored in the BIG-IP's configuration.
-Joe - I wouldn't call that a stupid question. Actually it's quite common.
-Joe - Shawn_Puckett_8OK, well I've setup the class but when I try to save the rule I get this error:
line 3: [missing a script after "if"] [ ]
line 4: [undefined procedure:
if { [HTTP::uri] contains "qatest01" }
{use pool QATest01-Port80}
elseif { [HTTP::uri] contains "qatest02" }
{use pool QATest02-Port80}
else
{use pool QATest01-02-Port80}
] [{
if { [HTTP::uri] contains "qatest01" }
{use pool QATest01-Port80}
elseif { [HTTP::uri] contains "qatest02" }
{use pool QATest02-Port80}
else
{use pool QATest01-02-Port80}
} ]
line 12: [undefined procedure: else] [else { reject }]
Shawn - JRahmIt's very particular about spacing, place the rule in as I entered it above.
- Shawn_Puckett_8OK the spacing was the issue so I'm one step closer:
I have used my IP but I can't get in. If I remove the iRule I get in.
If I use my iRule from the top of the list with the
if {[IP::addr [IP::remote_addr] equals x.x.x.x/255.255.255.255]}
it allows me in.
Any suggestions?
BTW I'm sure you are going to kill me for this but I forgot to mention the traffic in bound is HTTPS to Port80 pools, so I'm not sure if that would affect the HTTP_REQUEST because it's HTTPS. Really sorry to burn so much of you guys time.
Shawn - I would throw in some logging to find out where the rule is not behaving as you would expect.
For each logic path in your rule, throw in a log statement and look in the /var/log/ltm file for the output.when HTTP_REQUEST { if { [matchclass [IP::client_addr] eq $::allowed_client_IP] } { log local0. "address [IP::client_addr] found in allowed_client_IP list" if { [HTTP::uri] contains "qatest01" } { log local0. "Found qatest01 in uri '[HTTP::uri]'" use pool QATest01-Port80 } elseif { [HTTP::uri] contains "qatest02" } { log local0. "Found qatest02 in uri '[HTTP::uri]'" use pool QATest02-Port80 } else { log local0. "Didn't find a match in uri '[HTTP::uri]'" use pool QATest01-02-Port80 } } else { log local0. "address [IP::client_addr] not found in allowed_client_IP list" reject } }
This should lead you to where the problem lies.
As for the HTTPS to HTTP, that shouldn't be a problem as long as you are terminating the SSL connection and not re-encrypting it to the backend (which I'm sure it is if your first rule works).
-Joe - Shawn_Puckett_8It WORKS!
I made a mistake and change the Data Group List name to have a dash in it. When I looked at the log I saw that the rule stopped parsing at the dash. The reason I did this is because I'm in the habit of using dashes in my pool names and didn't even think about it. It stands to reason as iRules is a scripting/programming language and as with most programming and scripting languages the dash is an operator. But I did learn several things today!
One last question, is the reference guide "Configuration Guide for Local Traffic Management.pdf" the best source of information on iRules that is out there?
THANKS Guys!
Shawn - JRahmThe guide gives most of the available commands (there are some unpublished ones), but this site would be the best place to learn how to weave the various commands together. If you have a BigIP lab unit and a linux box, I'd suggest creating several virtual servers on your linux box and start building rules to solve common problems. You could always use rules directly from this site and modify them for your lab environment, then tweak them slightly and include as much logging as possible throughout the rule so you can see how the events are firing and how the decisions are being made.
