Forum Discussion

Lloyd_Carter's avatar
Lloyd_Carter
Icon for Nimbostratus rankNimbostratus
May 12, 2020

iRule for IP Whitelist on specific URL

I have a service that I am migrating to F5 BIG IP. It previously used IIS IP Address Restriction to control access to a particular URL. Can anyone recommend an iRule that will allow me to do the same. So for example only Clients from IPs in my whitelist are able to access mywebsite.com/private whilst allowing all other pages to go through.

application delivery
iRules
  • Kevin_Davies's avatar
    Kevin_Davies
    May 12, 2020

    Sure an iRule for that isn't hard. The question is how will you get the whitelist on the BIGIP. If you use data groups you can update a whitelist directly in the GUI, but is that an interface you want to use for this. You can also use external data groups which are a file on the BIG-IP. This can be pushed/pulled from other sources and then loaded on the BIG-IP. If you have privatewhitelist address data group defined on the BIG-IP this would do the job.

    when HTTP_REQUEST {
  if {[HTTP::uri] eq "/private"} {
    if {![class match [IP::client_address] equals privatelwhitelist]} {
      HTTP::respond 403 content "<html><body>Access not permitted</body></html>" Connection Close
      TCP::close
    }
  }
}
  • Kevin_Davies's avatar
    Kevin_Davies
    Icon for MVP rankMVP
    May 12, 2020

    Sure an iRule for that isn't hard. The question is how will you get the whitelist on the BIGIP. If you use data groups you can update a whitelist directly in the GUI, but is that an interface you want to use for this. You can also use external data groups which are a file on the BIG-IP. This can be pushed/pulled from other sources and then loaded on the BIG-IP. If you have privatewhitelist address data group defined on the BIG-IP this would do the job.

    when HTTP_REQUEST {
  if {[HTTP::uri] eq "/private"} {
    if {![class match [IP::client_address] equals privatelwhitelist]} {
      HTTP::respond 403 content "<html><body>Access not permitted</body></html>" Connection Close
      TCP::close
    }
  }
}
    • Lloyd_Carter's avatar
      Lloyd_Carter
      Icon for Nimbostratus rankNimbostratus
      May 12, 2020

      Hi Kevin,

       

      Thanks for this. An internal data group for this would be fine as the list is going to be fairly static. I have defined my Data Group but I'm getting an error on the iRule as follows.

       

      01070151:3: [undefined procedure: IP::client_address][IP::client_address]

       

      Any ideas what I did wrong here? It looks like my data group has not been recognised by the irule

  • Lloyd_Carter's avatar
    Lloyd_Carter
    Icon for Nimbostratus rankNimbostratus
    May 12, 2020

    Kevins solution works. My issue was a typo [IP::client_address] should be [IP::client_addr]