Forum Discussion

shipszky_319427's avatar
shipszky_319427
Icon for Nimbostratus rankNimbostratus
Jan 29, 2018

Ip filter iRule with multiple data groups

I currently have an iRule in place to do ip filtering in multiple places in a website. I had an oversight when this was first written and failed to put a rule in for the entire website. when H...
application delivery
iRules
Stanislas_Piro2's avatar
Stanislas_Piro2
Icon for Cumulonimbus rankCumulonimbus
Jan 30, 2018

The code is too complicated.

 

I recommend to create only 2 Datagroups

 

  • /Education/DG_URI containing URI as key and the list of allowed roups as value
  • /Education/tableau_global containing IP addresses as key and the group membership as value

Then use following irule.

 

when HTTP_REQUEST {
 Search if the URI have an IP address restriction, store the allowed groups in a variable
    if { [set AllowedGroups [class match -value [string tolower [HTTP::uri]] equals /Education/DG_URI]] ne "" } then {
         Search if the IP address is known in a the IP addresses Datagroup and filter based on previous search
        if { [set IPGroups [class match -value [IP::client_addr] equals /Education/tableau_global]] ne "" && ($AllowedGroups contains $IPGroups)} then {
             Let the request pass...
        } else {
            HTTP::respond 403 content "Access Denied"
        }
    }
}