For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Shawn_Puckett_8's avatar
Shawn_Puckett_8
Icon for Nimbostratus rankNimbostratus
Jan 26, 2006

IP blocking and URI Redirect

We need two rules to be validated before a user is sent to a pool, first we need to make sure they are coming from an allowed IP, then we need to see if they want to go to a specific server via the UR...
application delivery
dev
devops
iRules
Joe_Pruitt's avatar
Joe_Pruitt
Jan 26, 2006
I would throw in some logging to find out where the rule is not behaving as you would expect.

For each logic path in your rule, throw in a log statement and look in the /var/log/ltm file for the output.

when HTTP_REQUEST {
  if { [matchclass [IP::client_addr] eq $::allowed_client_IP] } {
    log local0. "address [IP::client_addr] found in allowed_client_IP list"
    if { [HTTP::uri] contains "qatest01" } {
      log local0. "Found qatest01 in uri '[HTTP::uri]'"
      use pool QATest01-Port80
    } elseif { [HTTP::uri] contains "qatest02" } {
      log local0. "Found qatest02 in uri '[HTTP::uri]'"
      use pool QATest02-Port80
    } else { 
      log local0. "Didn't find a match in uri '[HTTP::uri]'"
      use pool QATest01-02-Port80 
    }
  } else { 
    log local0. "address [IP::client_addr] not found in allowed_client_IP list"
    reject 
  }
}

This should lead you to where the problem lies.

As for the HTTPS to HTTP, that shouldn't be a problem as long as you are terminating the SSL connection and not re-encrypting it to the backend (which I'm sure it is if your first rule works).

-Joe