iRule block access to url list with data groups

Question

trying to create iRule to block external users from accessing a list of URLs with specific paths (for administrators) ,, created two data groups:

ALLOWED_IP_LIST contains internal users IP addresses

RESTRICTED_URL_LIST contains list of restricted urls

tried to search around and came up with below code ,, need your help

when RULE_INIT {

set static::drop_notallowed 0

}

when CLIENT_ACCEPTED {

if {not [IP::addr [IP::client_addr] equals ALLOWED_IP_LIST]} {

set static::drop_notallowed 1

}

when HTTP_REQUEST {

if { [class match [HTTP::uri]] starts_with RESTRICTED_URL_LIST}{

if {$static::drop_notallowed==1}{

drop

}

dario_garrido · Answer

Hello.You don't need to use static variables.Try this -&gt;when CLIENT_ACCEPTED {
	if { not [class match [IP::client_addr] equals ALLOWED_IP_LIST] } {
		drop
	}
}
&nbsp;
when HTTP_REQUEST {
	if { [class match [HTTP::uri] starts_with RESTRICTED_URL_LIST] } {
		drop
	}
}KR.Dario.

dario_garrido · Answer

The you can use some code like this -&gt;when HTTP_REQUEST {
	if { not [class match [IP::client_addr] equals ALLOWED_IP_LIST] and [class match [HTTP::uri] starts_with RESTRICTED_URL_LIST] } {
		drop
	}
}You can implement this also using policies which are more efficient than irules. I share with you some doc:https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-local-traffic-policies-getting-started-13-0-0/1.html&nbsp;BTW, if my answer was helpful, please don't forget to mark my answer as "the best" of give me some upvote.&nbsp;KR,Dario.

dario_garrido · Answer

BTW, I recommend you to check this out.&nbsp;REF - https://devcentral.f5.com/s/articles/the101-irules-101-variables

moqasem · Answer

hi Dario,&nbsp;thanks for the help, i have a comment here if i use the posted irule it will block external users for all URLs, and it will block all users from accessing RESTRICTED_URL_LIST  &nbsp;the requirement is:&nbsp; block external users from accessing RESTRICTED_URL_LIST and allow them to access anything else. internal users should have access to RESTRICTED_URL_LIST and to anything else.&nbsp;i believe if we can add and condition like below it will achieve the requirement if { not [class match [IP::client_addr] equals ALLOWED_IP_LIST] } and if { [class match [HTTP::uri] starts_with RESTRICTED_URL_LIST] } then drop

moqasem · Answer

when HTTP_REQUEST {&nbsp;if { not [[class match [IP::client_addr] equals ALLOWED_IP_LIST]  and [class match [HTTP::uri] starts_with RESTRICTED_URL_LIST]]&nbsp;drop&nbsp;	}}&nbsp;

Forum Discussion

iRule block access to url list with data groups

Recent Discussions

XC Bot defense question

Big-IP not recognized by Big-IQ

UCS backup not loading Big IP DNS pool

Application only need to access from 2 uris

In Radius auth, how to allow second attempt of token input when the first input is incorrect?

Related Content

v11: iRules Data Group Updates

Certified Kubernetes Administrator - Study Group

Federated AWS Console Access Made Easy: F5 BIG-IP Access Policy Manager Access Guided Configurations

Interrogate Pool Member Priority Group from iRule

Irule for restricting access

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS