Forum Discussion

Sabir_Alvi's avatar
Sabir_Alvi
Icon for Altocumulus rankAltocumulus
Nov 26, 2021

iRule to allow traffic based on certain URI and remote IP, allow all if URI doesn't match

I'm looking for an iRule that will be applied to a multitenant environment, where each client will have their own set of Authorised IPs.

Our application will have a "common" URI in web requests for all tenants but the hostname differs. So there will be a pool mapping at first based on the host.

  1. We need to allow web requests with a "certain URI" for authorized IPs.
  2. Deny web requests with the above URI if remote IP doesn't match authorized IPs.
  3. Allow all web requests that do not match the above URI, it needs to be publicly available

 

3a. If the allowed URI is "/store/coffee", then starbucks.net/store/coffee/mug.html should work only for whitelisted IPs. Unauthorized IPs for the same web request should get a 403 error.

 

3b. If the web request is starbucks.net/AboutUs.html or starbucks.net/contactus.aspx, then it should be publicly available. No restrictions.

 

I have below iRule which is partially working. However my point 3(b) doesn't work, I get an IE error when the URI is not matching the allowed URI. Please advise. 

 

when HTTP_REQUEST {
  set pool [class match -value -- [HTTP::host][HTTP::uri] starts_with datagroup_pools]
  if { ([class match [string tolower [HTTP::uri]] contains datagroup_allowed_uri]) } {
	set whitelist [class match -value -- [HTTP::host] equals datagroup_whitelistgrp]
	set ipaddr [IP::remote_addr]
	set blacklisted "false"
		if {$whitelist ne ""} {
			if {!([class match $ipaddr equals $whitelist])} {
			if {!([matchclass $ipaddr equals office_ips])} {
			set blacklisted "true"
			HTTP::respond 403 content "<html code for custom error page>"
			}
		}
		}
	}
		if {$blacklisted ne "true"} {
			if {$pool ne ""} {
			if {[active_members $pool] == 0} {
          HTTP::respond 500 content "<html code for custom error page>"
        } else {
          pool $pool
        }
      } else {
        HTTP::respond 404 content "<html code for custom error page>"
      }
    }
}

 

devops
iRules
LTM
  • boneyard's avatar
    boneyard
    Icon for MVP rankMVP
    Nov 27, 2021

    not sure which of your points is 3(b), there don't appear numbers for me. you might want to rework your introduction. or explain on which like it fails now.

     

    for the rest i at least notice you don't setup office_ips in this section, might be done earlier of course.

     

     

  • spalande's avatar
    spalande
    Icon for Nacreous rankNacreous
    Nov 30, 2021

    It's not clear from the requirement if other host (other than starbucks.net) need any IP restrictions for certain uri, but considering they don't need it, we can simplify iRule as below. It also has mapping from host name to pool in the same iRule.

     

     

    when HTTP_REQUEST {
    switch -glob [string tolower [HTTP::host]] {
	  "www.abc.com"
	   {
           pool www.abc.com_443
           }  
	   "starbucks.net"
	   {
	     pool starbucks.net_443
	   } default {
          reject
      }
    }
	switch -glob [string tolower [HTTP::uri]] {
 
    "/store/coffee/mug.html"	
	 {
	    if { [string tolower [HTTP::host]] eq "starbucks.net" and ![class match [IP::client_addr] equals datagroup_whitelist]} {
	     HTTP::respond 403 content "<html code for custom error page>"
	    } else {
	     return
	    }
	 } default {
          return
      }
    }
 }