Forum Discussion
tacobell_112236
Nimbostratus
NimbostratusIRule Disaster
I'm running F5 LTM ver 9....and when I add IRule to VS I get "internet cannot display page" BUT Once I remove IRule I get the website....
i need to alllow only my datagroup access to the url if you are not on the group - you are supppose to get redirected but so far , on my logs all i gte is the IP address of internal connetcion not anything else.
when HTTP_REQUEST
{ log local0. "client IP is [IP::client_addr]"
if { ![matchclass [IP::client_addr] equals address_datagroup] } {
if { [[string tolower [HTTP::host]] equals "thewebsite.com"] and [matchclass [string tolower [HTTP::uri]] starts_with $::xxxxxxxxxxcom_uri_datagroup] } { HTTP::redirect "http://xxx.xxx.xxx.com"
}
}
}
- What, if anything, is showing up in the log files (/var/log/ltm) on the BIG-IP? The one thing that stands out is that you likely don't want the "string tolower" surrounded with two brackets. I'd try something like this:
when HTTP_REQUEST { log local0. "client IP is [IP::client_addr]" if { ![matchclass [IP::client_addr] equals address_datagroup] } { if { ([string tolower [HTTP::host]] equals "thewebsite.com") and [matchclass [string tolower [HTTP::uri]] starts_with $::xxxxxxxxxxcom_uri_datagroup] } { HTTP::redirect "http://xxx.xxx.xxx.com" } } }
If it continues to error out, check the /var/log/ltm file for the associated errors.
-Joe 
tacobell_112236after your advice - i changed the code with same results...my internal users connect with no issues howwever external connections get "Internet explorer cannot display the page"
i do get entries on logs now though.
Mar 5 10:14:04 CST 2011 tmm tmm[23706] 01220001 TCL error: WebRedirect HTTP_REQUEST - cant read ::xxx: no such variable while executing matchclass [string tolower [HTTP::uri]] starts_with $::xxx-xx.xxxx.com_uri_datagroup- tacobell_112236Ok Im replying to myself b\c I am getting some progress (thanks 2 Chris Miller on this forum)...I added log entries to the beginning and now I can see the clients URI & host on the LTM logs and I am not blocking external addresses.
Even though its progress I cant seem to get the redirects working correctly - irule sees the website and ip address and the corresponding group but doesn’t seem to redirect based on that results.....
when HTTP_REQUEST {
log local0. "client IP is [IP::client_addr]"
if { ![matchclass [IP::client_addr] eq address_datagroup] } {
log local0. "client host is [HTTP::host]"
log local0. "client uri is [HTTP::uri]"
if { [string tolower [HTTP::host]] equals "xxx.xxx.com" and [matchclass [string tolower [HTTP::uri]] starts_with xxx.xxx.xxx_uri_datagroup] } {
HTTP::redirect "http://xxx.xxx.com" }
elseif { [string tolower [HTTP::host]] equals "xxx.xxx.com" and [matchclass [string tolower [HTTP::uri]] starts_with www_xxxxxxxxx_com_uri_datagroup] } {
HTTP::redirect "http://www.xxxxxxxxx.com" }
elseif { [string tolower [HTTP::host]] equals "xxx.xxx.xxx.x.com" and [matchclass [string tolower [HTTP::uri]]starts_with www_xxxxxxxxxx_com_uri_datagroup] } {
HTTP::redirect "http://www.xxxxxxx.com" } }
elseif { [string tolower [HTTP::host]] equals "xxxxxxxx.com" and [matchclass [string tolower [HTTP::uri]] starts_with xxxxxxxxxxx_com_uri_datagroup] } {
HTTP::redirect "http://xxxxxxxxxx.com" } } - tacobell_112236ok i see the problem....seems like i am blocking all my internal users and allowing the external customers ----it should be the opposite.....can someone review and let me know how i can set this up correctly basically:
if part of address_datagroup allow all others redirect . - Chris_Miller
Altostratus
Since you're using "!" in your initial if statement, I assume you're trying to redirect users who do not match your address_datagroup. Is that correct? - tacobell_112236yes Chris that is correct - goal is to redirect those that dont match my address_datagroup
- Chris_MillerAre you still seeing errors in your LTM logs?
- tacobell_112236Chris I have it working and I emailed you on a follow up. It now blocks all those not part of the address_datagroup ( which is great) however I cant get logging to work correctly. I need to see who requested access for audit purposes.
- tacobell_112236
Can someone assist- my IRule is not working correctly.
basically:
if you are part of the address_datagroup & you are accessing URI in the uri_datagroup =allow access
if you are not part of the address_datagroup & you are accessing URI in the uri_datagroup=redirect
when HTTP_REQUEST {
log local0. "client IP is [IP::client_addr]"
if { [matchclass [IP::client_addr] eq address_datagroup] } {
if { [string tolower [HTTP::host]] equals "XX.XXX.com" and [matchclass [string tolower [HTTP::uri]] starts_with XX_XXX_com_uri_datagroup] } {
HTTP::redirect "http://XX.XXX.com"
log local0. "client: [IP::client_addr] requested [HTTP::host][HTTP::uri] and is not part of address_datagroup so they are redirected to "
} elseif { [string tolower [HTTP::host]] equals "XX.XXX.com" and [matchclass [string tolower [HTTP::uri]] starts_with www_newark_com_uri_datagroup] } { HTTP::redirect http://XX.XXX.com
log local0. "client: [IP::client_addr] requested [HTTP::host][HTTP::uri] and is not part of address_datagroup so they are redirected to http://xx.xxx.com"
} elseif { [string tolower [HTTP::host]] equals "xx.xxxx.com" and [matchclass [string tolower [HTTP::uri]] starts_with www_xxx_com_uri_datagroup] } { HTTP::redirect "http://xx.xxx.com" }
log local0. "client: [IP::client_addr] requested [HTTP::host][HTTP::uri] and is not part of address_datagroup so they are redirected to http://xx.xxx.com"
} elseif { [string tolower [HTTP::host]] equals "xx.xxxcom" and [matchclass [string tolower [HTTP::uri]] starts_with www_xxxxxcom_uri_datagroup] } { HTTP::redirect "http://xx.xxxx.com"
log local0. "client: [IP::client_addr] requested [HTTP::host][HTTP::uri] and is not part of address_datagroup so they are redirected to http://xx.xxxx.com" } } 
Joel_MosesIs this what you are looking for?when HTTP_REQUEST { log local0. "client IP is [IP::client_addr]" if { not [matchclass [IP::client_addr] eq address_datagroup] } { log local0. "[IP::client_addr] is accepted but not in the address_datagroup" switch [string tolower [HTTP::host] { "xxx1.xxx.com" { if { [matchclass [string tolower [HTTP::uri]] starts_with xxx1_xxx_com_uri_datagroup] } { log local0. "client [IP::client_addr] requested [HTTP::host][HTTP::uri] and is not part of address_datagroup" HTTP::redirect "http://xxx.xxx.com/" } } "xxx2.xxx.com" { if { [matchclass [string tolower [HTTP::uri]] starts_with xxx2_xxx_com_uri_datagroup] } { log local0. "client [IP::client_addr] requested [HTTP::host][HTTP::uri] and is not part of address_datagroup" HTTP::redirect "http://xxx.xxx.com/" } } "xxx3.xxx.com" { if { [matchclass [string tolower [HTTP::uri]] starts_with xxx3_xxx_com_uri_datagroup] } { log local0. "client [IP::client_addr] requested [HTTP::host][HTTP::uri] and is not part of address_datagroup" HTTP::redirect "http://xxx.xxx.com/" } } "xxx4.xxx.com" { if { [matchclass [string tolower [HTTP::uri]] starts_with xxx2_xxx_com_uri_datagroup] } { log local0. "client [IP::client_addr] requested [HTTP::host][HTTP::uri] and is not part of address_datagroup" HTTP::redirect "http://xxx.xxx.com/" } } } } else { log local0. "[IP::client_addr] is accepted and is in the address_datagroup" } }
This should accept all comers to the site, but if they're not in the address_datagroup, for each host if they match the URI in each host's datagroup, it'll redirect them somewhere. Otherwise, it'll allow them through unimpeded.
