For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

SighclopsII_189's avatar
SighclopsII_189
Icon for Nimbostratus rankNimbostratus
Feb 25, 2015

iRule to allow access to a uri only from a specific source subnet

I am looking to create an iRule that will allow access to uri's containing specifics when coming from an approved subnet but dropping requests to those uri's when coming from all other subnets.

 

So basically... When HTTP_Request, if the uri contains "something/test/testing" and source IP matches 10.1.1.0/24, then send to my pool. All other requests to uri's containing "something/test/testing" and source IP does not match 10.1.1.0/24, then drop.

 

Can someone tell me what this iRule would and should look like?

 

Thanks!

 

application delivery
deployment
devops
iRules
LTM

4 Replies

  • Michael_Jenkins's avatar
    Michael_Jenkins
    Icon for Cirrostratus rankCirrostratus
    Feb 25, 2015

    This wiki page talks about checking ip addresses.

    Basically, the irule you're looking for would be similar to this. You should be able to change it up as necessary.

    when HTTP_REQUEST {
     The switch statement is good for conditionals and easy to manage. 
     The '-glob' parameter marks the switch to allow wildcards (the "*")
    switch -glob -- [string tolower [HTTP::uri]] {
        "/something/test/testing" {
            if { [IP::addr [IP::client_addr] equals 10.1.1.0/24] } {
                 Process the traffic
                pool POOL_NAME
            } else {
                 Drop the connection (you can also use reject instead of drop)
                drop
            }
        }
    }
}
  • Michael_Jenkins's avatar
    Michael_Jenkins
    Icon for Cirrostratus rankCirrostratus
    Feb 25, 2015

    This should work based on your iRule (just changed the 

    ||
    to 
    &&
    to make it and)

    when HTTP_REQUEST { 
    if { ([HTTP::uri] contains "/something/bla/test/testing") && ([IP::addr [IP::client_addr] equals 10.1.1.0/24]) } {
        pool My_Web_Pool
    } else {
        HTTP::respond 200 content {   Sorry Page   Sorry, this Page is restricted.   } 
    } 
}

    Or try this updated one

    when HTTP_REQUEST {
     The switch statement is good for conditionals and easy to manage. 
     The '-glob' parameter marks the switch to allow wildcards (the "*")
    switch -glob -- [string tolower [HTTP::uri]] {
        "*/something/test/testing*" {
            if { [IP::addr [IP::client_addr] equals 10.1.1.0/24] } {
                 Process the traffic
                pool POOL_NAME
            } else {
                HTTP::respond 200 content {   Sorry Page   Sorry, this Page is restricted.   } 
            }
        }
    }
}
  • jbilbro_41390's avatar
    jbilbro_41390
    Icon for Nimbostratus rankNimbostratus
    Oct 06, 2016

    Can you tell me how to add multiple URIs and multiple IP ranges to this?

     

    Thanks! -Jeff

     

  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Oct 07, 2016

    Hi,

     

    You can do it with a local traffic policy instead of irule.

     

    Policies support IP address condition since version 11.6.