Forum Discussion
ryank5589
Nimbostratus
NimbostratusiRule expressions for not-eqauls in datagroup
Hey all,
I am looking to create an irule to match a uri and datagroup list (IP address in datagroup) to send to the pool, then if it matches the same uri and it doesn't match the ip address in the data group, to redirect to a external page. Is there anyway to do this? I was trying to do this using a "not" expression, but that doesn't look to be a valid solution.
Something like this ...
when HTTP_REQUEST {
if { ([HTTP::uri] equals"/logon/java") && ([class match [IP::client_addr] equals JAVA_Networks]) } {
pool pool_java_uri_443
} else {
if { [HTTP::uri] equals"/logon/java" } && ([class match [IP::client_addr] not JAVA_Networks]) } {
HTTP::redirect https://externalpage.com/notjava
}
}
Any input would really be appreciated.
Thanks.
cjuniorNacreous
Hi,
Put "not" before checking the class match. Same as "if not true"
not [class match [IP::client_addr] equals JAVA_Networks]But in this case, it is better to check "when it is true" to send to a pool otherwise do redirect.
when HTTP_REQUEST { # Only check when URI is exactly /logon/java if { [HTTP::uri] equals "/logon/java" } { # If IP address is in group, it is True if { [class match [IP::client_addr] equals JAVA_Networks] } { pool pool_java_uri_443 # Else, that's not True as IP is absent } else { HTTP::redirect https://externalpage.com/notjava } } }Regards
ryank5589Thanks for the response! With the irule that you provided -- it looks to me that if the uri and datgroup list are present that it will allow the traffic to go to the pool. Then if the ip address is NOT present, then it will redirect all traffic to the external page. The issue I forsee happening is that it will break all other traffic to this pool. There are many other URI's that should work, but I believe would now get redirected based on this. Example..
Currently this application has two logon pages one for java and one for non java. The URI's have different paths (Java = /uri/java/logon vs Non-Java /uri/app/logon), so this was easy for me to create an iRule only allow a match on that java uri and data group list, then if not, then send to nonjava. We discovered later on that we had users that had bookmarks within this application that can get around the actual logon page. So when you logon to the actually application, the uri changes to uri/random/landingpage.do for the java page and then uri/random/landingpage.do?ESS=true. Since the java and non java are so close in name, I have to figure a way to say if you are coming from this datagroup IP list and equals uri/random/landingpage.do to allow the traffic to happen, but if you are coming from an IP address outside of the datagroup list and equals uri/random/landingpage.do, then send to the external page.
- cjunior
Hi,
The question was way to use "not" on that iRule, was what I tried to show the way.
The conditional "[HTTP::uri] equals /logon/java" will affect only this exactly path, so, other paths or same with other querystring will not be affected.
e.g.
/logon/java = Yes, affected
/logon/Java = not affected
/logon/java?param=value = not affected
/path1/logon/java = not affected
/logon/java/path3 = not affected
/whatever= not affected
In that rule, anything else than "/logon/java" (exact chars and case) will not be affected or broke as we are using "equals" operator on HTTP::uri (path + querystring).
I think didn't quite understand your goal explained on your last reply.
What is your goal since you mentioned that you wrote a rule?
Are you facing issue to read a randomly path to permit only Java clients IP?
Best regards
- ryank5589
cjunior, sorry if I didn't explain it well. Based on your input I was able to create a policy to NOT match the IP's in the class match, which seems to have solved my current issue.
when HTTP_REQUEST {
if { ([HTTP::uri] equals"/logon/java") && ([class match [IP::client_addr] equals JAVA_Networks]) } {
pool pool_java_uri_443
} else {
if { ([HTTP::uri] equals"/logon/java" ) && ( not [class match [IP::client_addr] equals JAVA_Networks]) } {
HTTP::redirect https://externalpage.com/notjava
}
}
}
- cjunior
OK buddy.
This rule you wrote has exactly same condition check that I sent you before, but, your version is heavier to process when client address is not in JAVA_Networks data group.
See, you are running "class match" again in case of uri matches that path and IP isn't in group on first check.
I'm not supposed to tell what version is better or correct to you.
It is just to you understand that my code is optimized and have same final behavior in better performance, right?
Describing that lines:
Your code:
1a) If URI equals /logon/java and also IP is in Group ?
Goto the pool
2a) Else if URI equals /logon/java and also IP is not in Group ?
Redirect
3a) None alternative above? ("Else" implicit on code)
Go ahead
Mine:
If URI equals /logon/java ? (It covers first check for 1a and 2a conditions)
So, IP is in Group ? (Run class match and return is True or False / Matches 1a when True)
Goto the pool
Else (Matches 2a / No need to run class match as it is obviously false)
Redirect
None alternative above? (Same as 3a)
Go ahead
Am I wrong? Did I forget something?
Kind regards.
- ryank5589
Sorry, I didn't understand your iRule at the beginning. The way I perceived your irule at first was that if I wasn't in that specific IP group and it didn't match /logon/java that it would still send me to that external page, which I was wrong. The irule that you provided does seem to do the trick. I appreciate all the help and sorry for the confusion.
- cjunior
No problem, I think my English is not so clear :/
Anyway, I'm glad to help in some way.
Cheers