Forum Discussion

Rustic_57941's avatar
Rustic_57941
Icon for Nimbostratus rankNimbostratus
Dec 17, 2012

iRule Newbie - Limit Access to URIs based on IP Source

Hi,

 

I am just starting out in the wold of iRules - apologises for any newbie errors.

 

We have a test site that where access control was based on a firewall ACL - pretty simple worked fine.

 

Now our developers have created an app they wish to test from anywhere on the Internet but still want restrict access based on source IP to the originlal test site.

 

i.e.

 

/authenticate :: permit 0.0.0.0/0

 

/* :: permit only x.x.x.x/y and host a.b.c.d

 

I have already created an iRule to rewite the client's URI request from "/" to our landing page - /web/landing_page - this is also working fine.

 

I was going to add a second iRule to the VS with priority set so that it execute following the rewrite iRule.

 

My logic for the second iRule:

 

priority 20

 

if http request uri eq /authenticate

 

permit

 

else if http request eq datagroup_string-class

 

permit

 

 

The data group would list the URI with a permited access-group address list as the value.

 

Questions:

 

Will my logic work?

 

Can I use a wildcard e.g. "/*" for the test site URI or do I have to have every URI listed?

 

 

Thanks!

 

Mark

 

 

application delivery
dev
devops
iRules

4 Replies

  • Rustic_57941's avatar
    Rustic_57941
    Icon for Nimbostratus rankNimbostratus
    Dec 17, 2012
    Hi,

     

     

    The data group (string class) looks like this::

     

     

    /authenticate:=Auth_Allowed_IPs

     

    /web/landing_page:=Test_Allowed_IPs

     

     

     

     

    Thanks
  • Mohamed_Lrhazi's avatar
    Mohamed_Lrhazi
    Icon for Altocumulus rankAltocumulus
    Dec 17, 2012
    Maybe your data could be like so:

     

     

    /authenticate:=0.0.0.0/32

     

    /web/landing_page:=1.2.3.4/32,1.2.3.5/32,192.168.0.0/16

     

    ...

     

    then your irule could lookup the list of subnets for that matches the current URI, split it and then test the client_ip against each, if no match found, reject.

     

     

    else, fall through and use default pool.

     

     

    Maybe there is a much simpler way. read about class for some ideas maybe: https://devcentral.f5.com/wiki/irules.class.ashx
  • Rustic_57941's avatar
    Rustic_57941
    Icon for Nimbostratus rankNimbostratus
    Dec 17, 2012
    Thanks - I have change thins a little by creating a address-class datagroup which has the permitted IP addresses. This is used on the following iRule: 

    
when HTTP_REQUEST { 
   if { [string tolower [HTTP::path]] contains "/web/landing_page" } { 
      if { !([matchclass [IP::client_addr] equals Test_Allowed_IPs])} { 
         discard 
      }
   }
}

    This working with initial testing.

    Rgds,

    Mark