Forum Discussion

mike_89584's avatar
mike_89584
Icon for Nimbostratus rankNimbostratus
Jun 13, 2016
Solved

iRule help

Hi I have two separate irules - one to restrict access to certain IPs and one to force basic authentication, and I now find that I need to combine the two, that is allow certain IPs to a VIP (or fold...
BIG-IP
iRules
security
  • Yann_Desmarest_'s avatar
    Yann_Desmarest_
    Jun 13, 2016

    Hi,

    haven't understand quite well your requirement. Here the new try :

    when HTTP_REQUEST { 
    if { [IP::client_addr] eq "xxx.xxx.xxx.xxx" } {
        pool Pool_my_pool.com
    } else {
        binary scan [md5 [HTTP::password]] H* password
        if { [class lookup "[HTTP::username]" local_user_dgroup] equals $password } {
            log local0. "User [HTTP::username] has been authorized to access virtual server [virtual name]" 
        } else {
            log local0. "User [HTTP::username] has been denied access to virtual server [virtual name]"
            HTTP::respond 401 WWW-Authenticate "Basic realm=\"Secured Area\""
        }   
    }
}
Yann_Desmarest_'s avatar
Yann_Desmarest_
Icon for Nacreous rankNacreous
Jun 13, 2016

Hi,

Try this way :

when HTTP_REQUEST { 
    if { [IP::client_addr] eq "xxx.xxx.xxx.xxx" } { 
        binary scan [md5 [HTTP::password]] H* password
        if { [class lookup "[HTTP::username]" local_user_dgroup] equals $password } {
            log local0. "User [HTTP::username] has been authorized to access virtual server [virtual name]"
            pool Pool_my_pool.com
        } else {
            log local0. "User [HTTP::username] has been denied access to virtual server [virtual name]"
            HTTP::respond 401 WWW-Authenticate "Basic realm=\"Secured Area\""
        }   
    } else { 
        drop 
    } 
}
  • mike_89584's avatar
    mike_89584
    Icon for Nimbostratus rankNimbostratus
    Jun 13, 2016
    Hi Yann Thanks for your idea - that is not quite what I'm after... What I am trying to do is restrict the VIP by the basic authentication to all traffic, EXCEPT from traffic from particular IPs which would bypass the authentication entirely and be directed to the pool of my choice without the need to authenticate. I am not looking to drop requests Many thanks