Forum Discussion

jokragly's avatar
jokragly
Icon for Nimbostratus rankNimbostratus
Mar 15, 2016

irule ACL for internet or internal access

Could you have a look at my iRule below. Something is not working and I have blinders on at this point. The goal is to block external access to everything except the /open/* directory and block internal access to everything except the /media/* and /open/* directories.

 

This is for bcvideo.brunswick.com (in order to test internally the host file needs to be modified to point to 172.23.4.101)

 

when HTTP_REQUEST {

 

Outside Allowed

if {!([matchclass [IP::client_addr] equals private_net]) and ([class match [HTTP::path] starts_with bcvideo_acl]) } { return }

 

Inside Allowed

if {([matchclass [IP::client_addr] equals private_net]) and ([class match [HTTP::path] starts_with bcvideo_inside_only_acl]) } { return }

 

Everything Else Denied

HTTP::respond 200 content "PERMISSION2 DENIED TO URL PATH: [HTTP::uri] FROM: [IP::client_addr] " }

 

Data string groups bcvideo_acl - /open/* bcvideo_inside_only_acl - /media /media/* /open/*

 

application delivery
iRules
LTM
security

1 Reply

  • jokragly's avatar
    jokragly
    Icon for Nimbostratus rankNimbostratus
    Mar 15, 2016

    Wildcards (*) don’t work in data groups.

     

    You’re already saying “Starts_With”

     

    The * would be interpreted, quite literally, which is not the URL.

     

    I removed the * and tested successfully.