Forum Discussion
tacobell_112236
Mar 04, 2011Nimbostratus
IRule Disaster
I'm running F5 LTM ver 9....and when I add IRule to VS I get "internet cannot display page" BUT Once I remove IRule I get the website....
i need to alllow only my datagroup access to the url if you are not on the group - you are supppose to get redirected but so far , on my logs all i gte is the IP address of internal connetcion not anything else.
when HTTP_REQUEST
{ log local0. "client IP is [IP::client_addr]"
if { ![matchclass [IP::client_addr] equals address_datagroup] } {
if { [[string tolower [HTTP::host]] equals "thewebsite.com"] and [matchclass [string tolower [HTTP::uri]] starts_with $::xxxxxxxxxxcom_uri_datagroup] } { HTTP::redirect "http://xxx.xxx.xxx.com"
}
}
}
- What, if anything, is showing up in the log files (/var/log/ltm) on the BIG-IP? The one thing that stands out is that you likely don't want the "string tolower" surrounded with two brackets. I'd try something like this:
when HTTP_REQUEST { log local0. "client IP is [IP::client_addr]" if { ![matchclass [IP::client_addr] equals address_datagroup] } { if { ([string tolower [HTTP::host]] equals "thewebsite.com") and [matchclass [string tolower [HTTP::uri]] starts_with $::xxxxxxxxxxcom_uri_datagroup] } { HTTP::redirect "http://xxx.xxx.xxx.com" } } }
- tacobell_112236Nimbostratusafter your advice - i changed the code with same results...my internal users connect with no issues howwever external connections get "Internet explorer cannot display the page"
- tacobell_112236NimbostratusOk Im replying to myself b\c I am getting some progress (thanks 2 Chris Miller on this forum)...I added log entries to the beginning and now I can see the clients URI & host on the LTM logs and I am not blocking external addresses.
- tacobell_112236Nimbostratusok i see the problem....seems like i am blocking all my internal users and allowing the external customers ----it should be the opposite.....can someone review and let me know how i can set this up correctly basically:
- Chris_MillerAltostratusSince you're using "!" in your initial if statement, I assume you're trying to redirect users who do not match your address_datagroup. Is that correct?
- tacobell_112236Nimbostratusyes Chris that is correct - goal is to redirect those that dont match my address_datagroup
- Chris_MillerAltostratusAre you still seeing errors in your LTM logs?
- tacobell_112236NimbostratusChris I have it working and I emailed you on a follow up. It now blocks all those not part of the address_datagroup ( which is great) however I cant get logging to work correctly. I need to see who requested access for audit purposes.
- tacobell_112236Nimbostratus
Can someone assist- my IRule is not working correctly.
- Joel_MosesNimbostratusIs this what you are looking for?
when HTTP_REQUEST { log local0. "client IP is [IP::client_addr]" if { not [matchclass [IP::client_addr] eq address_datagroup] } { log local0. "[IP::client_addr] is accepted but not in the address_datagroup" switch [string tolower [HTTP::host] { "xxx1.xxx.com" { if { [matchclass [string tolower [HTTP::uri]] starts_with xxx1_xxx_com_uri_datagroup] } { log local0. "client [IP::client_addr] requested [HTTP::host][HTTP::uri] and is not part of address_datagroup" HTTP::redirect "http://xxx.xxx.com/" } } "xxx2.xxx.com" { if { [matchclass [string tolower [HTTP::uri]] starts_with xxx2_xxx_com_uri_datagroup] } { log local0. "client [IP::client_addr] requested [HTTP::host][HTTP::uri] and is not part of address_datagroup" HTTP::redirect "http://xxx.xxx.com/" } } "xxx3.xxx.com" { if { [matchclass [string tolower [HTTP::uri]] starts_with xxx3_xxx_com_uri_datagroup] } { log local0. "client [IP::client_addr] requested [HTTP::host][HTTP::uri] and is not part of address_datagroup" HTTP::redirect "http://xxx.xxx.com/" } } "xxx4.xxx.com" { if { [matchclass [string tolower [HTTP::uri]] starts_with xxx2_xxx_com_uri_datagroup] } { log local0. "client [IP::client_addr] requested [HTTP::host][HTTP::uri] and is not part of address_datagroup" HTTP::redirect "http://xxx.xxx.com/" } } } } else { log local0. "[IP::client_addr] is accepted and is in the address_datagroup" } }
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects