For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

MoQasem's avatar
MoQasem
Icon for Nimbostratus rankNimbostratus
Jul 29, 2019

iRule block access to url list with data groups

trying to create iRule to block external users from accessing a list of URLs with specific paths (for administrators) ,, created two data groups: ALLOWED_IP_LIST contains internal users IP addres...
application delivery
iRules
Dario_Garrido's avatar
Dario_Garrido
Icon for Noctilucent rankNoctilucent
Jul 29, 2019

Hello.

You don't need to use static variables.

Try this ->

when CLIENT_ACCEPTED {
	if { not [class match [IP::client_addr] equals ALLOWED_IP_LIST] } {
		drop
	}
}
 
when HTTP_REQUEST {
	if { [class match [HTTP::uri] starts_with RESTRICTED_URL_LIST] } {
		drop
	}
}

KR.

Dario.

  • Dario_Garrido's avatar
    Dario_Garrido
    Icon for Noctilucent rankNoctilucent
    Jul 29, 2019

    BTW, I recommend you to check this out.

     

    REF - https://devcentral.f5.com/s/articles/the101-irules-101-variables

  • MoQasem's avatar
    MoQasem
    Icon for Nimbostratus rankNimbostratus
    Jul 31, 2019

    hi Dario,

     

    thanks for the help, i have a comment here if i use the posted irule it will block external users for all URLs, and it will block all users from accessing RESTRICTED_URL_LIST

     

    the requirement is:

     

    block external users from accessing RESTRICTED_URL_LIST and allow them to access anything else.

    internal users should have access to RESTRICTED_URL_LIST and to anything else.

     

    i believe if we can add and condition like below it will achieve the requirement

    if { not [class match [IP::client_addr] equals ALLOWED_IP_LIST] } and if { [class match [HTTP::uri] starts_with RESTRICTED_URL_LIST] } then drop