Forum Discussion

mike_89584's avatar
mike_89584
Icon for Nimbostratus rankNimbostratus
Jun 13, 2016
Solved

iRule help

Hi I have two separate irules - one to restrict access to certain IPs and one to force basic authentication, and I now find that I need to combine the two, that is allow certain IPs to a VIP (or folder structure) with no requirement for the authentication, but for all other requests, the Authentication needs to be in place

any help would be greatly appreciated!

Basic Authentication:

when HTTP_REQUEST { binary scan [md5 [HTTP::password]] H* password

if { [class lookup "[HTTP::username]" local_user_dgroup] equals $password } {
    log local0. "User [HTTP::username] has been authorized to access virtual server [virtual name]"
} else {
    log local0. "User [HTTP::username] has been denied access to virtual server [virtual name]"
    HTTP::respond 401 WWW-Authenticate "Basic realm=\"Secured Area\""
}

}

IP Restriction:

when HTTP_REQUEST { if { [IP::client_addr] eq "xxx.xxx.xxx.xxx" } { pool Pool_my_pool.com

} else { drop } }
BIG-IP
iRules
security
  • Yann_Desmarest_'s avatar
    Yann_Desmarest_
    Jun 13, 2016

    Hi,

    haven't understand quite well your requirement. Here the new try :

    when HTTP_REQUEST { 
    if { [IP::client_addr] eq "xxx.xxx.xxx.xxx" } {
        pool Pool_my_pool.com
    } else {
        binary scan [md5 [HTTP::password]] H* password
        if { [class lookup "[HTTP::username]" local_user_dgroup] equals $password } {
            log local0. "User [HTTP::username] has been authorized to access virtual server [virtual name]" 
        } else {
            log local0. "User [HTTP::username] has been denied access to virtual server [virtual name]"
            HTTP::respond 401 WWW-Authenticate "Basic realm=\"Secured Area\""
        }   
    }
}

8 Replies

Sort By
  • Yann_Desmarest's avatar
    Yann_Desmarest
    Icon for Cirrus rankCirrus
    Jun 13, 2016

    Hi,

    Try this way :

    when HTTP_REQUEST { 
    if { [IP::client_addr] eq "xxx.xxx.xxx.xxx" } { 
        binary scan [md5 [HTTP::password]] H* password
        if { [class lookup "[HTTP::username]" local_user_dgroup] equals $password } {
            log local0. "User [HTTP::username] has been authorized to access virtual server [virtual name]"
            pool Pool_my_pool.com
        } else {
            log local0. "User [HTTP::username] has been denied access to virtual server [virtual name]"
            HTTP::respond 401 WWW-Authenticate "Basic realm=\"Secured Area\""
        }   
    } else { 
        drop 
    } 
}
    • mike_89584's avatar
      mike_89584
      Icon for Nimbostratus rankNimbostratus
      Jun 13, 2016
      Hi Yann Thanks for your idea - that is not quite what I'm after... What I am trying to do is restrict the VIP by the basic authentication to all traffic, EXCEPT from traffic from particular IPs which would bypass the authentication entirely and be directed to the pool of my choice without the need to authenticate. I am not looking to drop requests Many thanks
  • Yann_Desmarest_'s avatar
    Yann_Desmarest_
    Icon for Nacreous rankNacreous
    Jun 13, 2016

    Hi,

    Try this way :

    when HTTP_REQUEST { 
    if { [IP::client_addr] eq "xxx.xxx.xxx.xxx" } { 
        binary scan [md5 [HTTP::password]] H* password
        if { [class lookup "[HTTP::username]" local_user_dgroup] equals $password } {
            log local0. "User [HTTP::username] has been authorized to access virtual server [virtual name]"
            pool Pool_my_pool.com
        } else {
            log local0. "User [HTTP::username] has been denied access to virtual server [virtual name]"
            HTTP::respond 401 WWW-Authenticate "Basic realm=\"Secured Area\""
        }   
    } else { 
        drop 
    } 
}
    • mike_89584's avatar
      mike_89584
      Icon for Nimbostratus rankNimbostratus
      Jun 13, 2016
      Hi Yann Thanks for your idea - that is not quite what I'm after... What I am trying to do is restrict the VIP by the basic authentication to all traffic, EXCEPT from traffic from particular IPs which would bypass the authentication entirely and be directed to the pool of my choice without the need to authenticate. I am not looking to drop requests Many thanks
  • Yann_Desmarest's avatar
    Yann_Desmarest
    Icon for Cirrus rankCirrus
    Jun 13, 2016

    Hi,

    haven't understand quite well your requirement. Here the new try :

    when HTTP_REQUEST { 
    if { [IP::client_addr] eq "xxx.xxx.xxx.xxx" } {
        pool Pool_my_pool.com
    } else {
        binary scan [md5 [HTTP::password]] H* password
        if { [class lookup "[HTTP::username]" local_user_dgroup] equals $password } {
            log local0. "User [HTTP::username] has been authorized to access virtual server [virtual name]" 
        } else {
            log local0. "User [HTTP::username] has been denied access to virtual server [virtual name]"
            HTTP::respond 401 WWW-Authenticate "Basic realm=\"Secured Area\""
        }   
    }
}
  • Yann_Desmarest_'s avatar
    Yann_Desmarest_
    Icon for Nacreous rankNacreous
    Jun 13, 2016

    Hi,

    haven't understand quite well your requirement. Here the new try :

    when HTTP_REQUEST { 
    if { [IP::client_addr] eq "xxx.xxx.xxx.xxx" } {
        pool Pool_my_pool.com
    } else {
        binary scan [md5 [HTTP::password]] H* password
        if { [class lookup "[HTTP::username]" local_user_dgroup] equals $password } {
            log local0. "User [HTTP::username] has been authorized to access virtual server [virtual name]" 
        } else {
            log local0. "User [HTTP::username] has been denied access to virtual server [virtual name]"
            HTTP::respond 401 WWW-Authenticate "Basic realm=\"Secured Area\""
        }   
    }
}