Forum Discussion
AltostratusIrule to allow/block URL
Can anyone please help to create an irule for below requirement.
We would like to deny the access if the request for www.abc.com/xyx but allow for www.abc.com/xyx/ccc.
URL to be allowed
www.abc.com/xyz/ccc www.abc.com/xyz/yyy www.abc.com/xyz/ppp www.abc.com/xyz/ooo
URL to b blocked
This should allow only for some group of source IP addresses.
3 Replies
- Kai_Wilke
MVP
Hi Sanalbabu,
I asume that this allow/blocking functionality would be needed for a virtual server serving a specific websites, right? If so, then use the snippet below as a starting point...
when CLIENT_ACCEPTED { if { ( [IP::addr [IP::client_addr] equals 10.0.0.0/8] ) or ( [IP::addr [IP::client_addr] equals 172.16.0.0/12] ) or ( [IP::addr [IP::client_addr] equals 192.168.0.0/16] ) } then { set my_trusted_clients 1 } else { set my_trusted_clients 0 } } when HTTP_REQUEST { if { [string tolower [HTTP::host]] equals "www.abc.com" } then { set low_uri [string tolower [HTTP::uri]] if { ( $my_trusted_clients ) and (( $low_uri starts_with "/xyz/ccc" ) or ( $low_uri starts_with "/xyz/yyy" ) or ( $low_uri starts_with "/xyz/ppp" ) or ( $low_uri starts_with "/xyz/ooo" )) } then { You may insert additional iRule code here, to handle request to the explicitly allowed sub-sites } elseif { $low_uri starts_with "/xyz" } then { Insert your block code here, to handle the blocked requests Below are some examples... 1.) Sending a redirect HTTP::redirect "http://www.somesite.com/errorpage.html" 2.) Sending a errorpage HTTP::respond 403 content "Access denied" } else { You may insert additional iRule code here, to handle request to other sub-sites } } else { You may insert additional iRule code here, to handle request to other sites } }Cheers, Kai
Sanal_BabuThanks for your reply.
My requirement is something as below.
I have created two datagroups in my f5 for source ip as well as url list
IP data group name : allowed_IP URL data group : allowed_url
We would like to deny the access if the request is only for www.abc.com/xyx but the same time it should allow when it comes for www.abc.com/xyx/ccc.
URL to be allowed
www.abc.com/xyz/ccc www.abc.com/xyz/yyy www.abc.com/xyz/ppp www.abc.com/xyz/ooo
URL to be blocked
So if a request comes for the allowed_url list , it should allow for all But if it is for only www.abc.com/xyz ,allow only for the Ip address data group "allowed_IP" .Rest all should be blocked.
- Kai_Wilke
Hi Sanalbabu,
to cover your latest requirements, you may take a look to the two examples below...
Note: I've written two different versions for you, to optimize the performance based on your expected request pattern. So please estimate your expected request pattern and then either use the outlined iRules of senario1 or scenario2.
Scenario1
The iRule below should be used, if you expect many request to trigger the IP-based allow list for /xyz.
when CLIENT_ACCEPTED { if { [class match [IP::client_addr] equals DataGroup_ALLOWED_IP_ADDR] } then { set my_trusted_clients 1 } else { set my_trusted_clients 0 } } when HTTP_REQUEST { if { [string tolower [HTTP::host]] equals "www.abc.com" } then { set low_uri [string tolower [HTTP::uri]] if { [class match $low_uri starts_with Datagroup_ALLOWED_URIs] } then { You may insert additional iRule code here, to handle request to the explicitly allowed sub-sites } elseif { $low_uri starts_with "/xyz" } then { if { $my_trusted_clients } then { You may insert additional iRule code here, to handle request for the explicitly allowed client IPs } else { Insert your block code here, to handle the blocked requests Below are some examples... 1.) Sending a redirect HTTP::redirect "http://www.somesite.com/errorpage.html" 2.) Sending a errorpage HTTP::respond 403 content "Access denied" } } else { You may insert additional iRule code here, to handle request to other sub-sites } } else { You may insert additional iRule code here, to handle request to other sites } }Scenario2
The iRule below should be used, if you expect just a few request to trigger the IP-based allow list for /xyz.
when HTTP_REQUEST { if { [string tolower [HTTP::host]] equals "www.abc.com" } then { set low_uri [string tolower [HTTP::uri]] if { [class match $low_uri starts_with Datagroup_ALLOWED_URIs] } then { You may insert additional iRule code here, to handle request to the explicitly allowed sub-sites } elseif { $low_uri starts_with "/xyz" } then { if { [class match [IP::client_addr] equals DataGroup_ALLOWED_IP_ADDR] } then { You may insert additional iRule code here, to handle request for the explicitly allowed client IPs } else { Insert your block code here, to handle the blocked requests Below are some examples... 1.) Sending a redirect HTTP::redirect "http://www.somesite.com/errorpage.html" 2.) Sending a errorpage HTTP::respond 403 content "Access denied" } } else { You may insert additional iRule code here, to handle request to other sub-sites } } else { You may insert additional iRule code here, to handle request to other sites } }Cheers, Kai
