Forum Discussion
AltocumulusiRule interpretation assistance
Hi Dev Central. I need some assistance interpreting the following iRule, especially the first line. My interpretation is that if the HTTP path contains any of the following: /, /index.jsp, /startpage, /sap/admin, /sap/admin* AND the client IP address is NOT in the All-Internal_dg Data Group List, then the request is REJECTED. Is this correct?
What is bothering me is the very first line with the "/". This would mean that any path would be rejected if the request isnt coming from an IP in the All-Internal_dg Data Group List right? I ask because this service is still accessible from IPs that are not in the All-Internal_dg Data Group List. So I am wondering how some paths are still working for clients that are not in the All-Internal_dg Data Group.
Thanks for any help you can lend.
switch -glob [HTTP::path] {
"/" {
# log 10.x.x.58 local0. "In root client ip is [IP::client_addr]"
if { not [matchclass [IP::client_addr] equals All-Internal_dg] } {
reject
}
HTTP::redirect https://[getfield [HTTP::host] ":" 1 ]/startPage
}
"/index.jsp" {
# log 10..x.x.58 local0. "In index.jsp client ip is [IP::client_addr]"
if { not [matchclass [IP::client_addr] equals All-Internal_dg] } {
reject
}
HTTP::redirect https://[getfield [HTTP::host] ":" 1 ]/startPage
}
"/startpage" {
# log 10.x.x.58 local0. "In startpage client ip is [IP::client_addr]"
if { not [matchclass [IP::client_addr] equals All-Internal_dg] } {
reject
}
}
"/sap/admin" {
# log 10..x.x.58 local0. "In sap admin client ip is [IP::client_addr]"
if { not [matchclass [IP::client_addr] equals All-Internal_dg] } {
reject
}
HTTP::redirect https://[getfield [HTTP::host] ":" 1 ]/sap/admin/public/default.html
}
"/sap/admin*" {
# log 10..x.x.58 local0. "Deep in sap admin client ip is [IP::client_addr]"
if { not [matchclass [IP::client_addr] equals All-Internal_dg] } {
reject
}
}
default {
# log 10..x.x.58 local0. "Something hit the default switch client ip is [IP::client_addr]"
}
}
}
yes,
"https://mysite.com/" will be evaluated for "/" case, so the client ip addres will be evaluated againts All-Internal_dg.
"https://mysite.com/abc" will got to default case.
6 Replies
- zamroni777
MVP
except the "/sap/admin*", all other switch cases are exact matching.
so requests such as "/abc" or "/startpage/dfgh" will get the default case and doesnt get rejected.
craddockchrisThank you! What of the lone "/" entry? Does that mean something like "https://mysite.com/" would get blocked but "https://mysite.com/abc" wouldnt?
- zamroni777
yes,
"https://mysite.com/" will be evaluated for "/" case, so the client ip addres will be evaluated againts All-Internal_dg.
"https://mysite.com/abc" will got to default case.
JklarenNimbostratus
You now have a rule that always has an explicit allow at the end is that something you want?
- craddockchris
Now that I understand the iRule better, it looks like the intention was to restrict access to certain resources on the website to internal IP addresses only while allowing access to other resources. I believe it is working as intended.
- craddockchris
Thank you everyone for your help! I have a better understanding of the iRule now!
