Forum Discussion

COf5's avatar
COf5
Icon for Nimbostratus rankNimbostratus
Nov 27, 2024

iRule for public IP access to specific section of my URL

 

I will need someone to validate this iRule for me, pls

 

Request: allow only a public IP or Subnet access to a section of my URL : https://xxx.xxx.com/xxx/* )

 

Many recommendations welcome.

 

after adding the ALLOW_x.x.x.x on Data Group List

 

 

when HTTP_REQUEST {
  if {[HTTP::uri] eq "https://xxx.xxx.com/xxx/*"} {
    if {![class match [IP::client_addr] equals ALLOW_x.x.x.x]} {
      HTTP::respond 403 content "<html><body>Access not permitted</body></html>" Connection Close
      TCP::close
    }
  }
}

 

 

  • the reset traffic probably kills the TCP connections before the redirect happens.  it not needed; things don't happen in the order listed. the "?" on the URL makes no sense to me. and i think the wrong slash in the redirect as well.  using "start with" also means it can be removed.  the "aspx" also could be as long as there no other "logon" on the site.  in the VS status you can see which rules is being hit.   i tend to use "host , host is ... and http path is ...", don't forget to use a web browser session (or new private window) on each test.  irules and policies as matched when the TCP starts and web browsers keep it open well so any changes will not be seen. you need to drop to raw TCL if the quary string need to be passed.  i.e   tcl:/querytest2.html\?[HTTP::query] 

    • COf5's avatar
      COf5
      Icon for Nimbostratus rankNimbostratus

      zamroni777 

      is my config attached, OK. 

      Because my setup doesn't work.

  • HTTP::uri only matches the path.  i.e.  /xxx/...     depending on if you need the quarry string or not if you using http::url or HTTP:: path.    

    HTTP:host to match the host name.  xxx.xxx.com   

     

    if {[HTTP::host] eq "xxx.xxx.com"} {

        if {[HTTP::uri] starts_with "/xxx/"} {

     

     

    search   f5 irules http::url   

    search   f5 irules http::host

    search   f5 irules if conditions 

     

    Web browser are hard to kickout once connected.    no real need for the TCP close.