Forum Discussion

Shiraz's avatar
Shiraz
Icon for Altostratus rankAltostratus
Apr 28, 2016

Irule to block access of VS on specific days

Dears,

I am able to restrict the access to Virtual Server by providing the static time by using the below irule. However, I also want to use this irule to restrict the access on weekends.

when RULE_INIT {
    set current_day [clock format [clock seconds] -format {%a} ]
    set static::START_OFF_TIME "05:30 AM"
    set static::END_OFF_TIME "01:00 PM"
}
when HTTP_REQUEST {
    set start_off_time [clock scan $static::START_OFF_TIME]
    set end_off_time [clock scan $static::END_OFF_TIME]
    set now [clock seconds]

if { ( [expr $now > $start_off_time] ) and ( [expr $now < $end_off_time] ) } {
        HTTP::respond 200 content "Maintenance ModeMaintenance mode..."
    }

}
  • Hi,

    current_day may not be defined in RULE_INIT but in HTTP_REQUEST.

    you can filter on day number (1-7) and not day name (Monday,...) with command :

    set current_day [clock format [clock seconds] -format {%u}]
    

    The irule become:

    when RULE_INIT {
        set static::START_OFF_TIME [clock scan "05:30 AM"]
        set static::END_OFF_TIME [clock scan "01:00 PM"]
    }
    
    when HTTP_REQUEST {
        set now [clock seconds]
        set current_day [clock format [clock seconds] -format {%u}]
    
    if { ($current_day < 6 ) && ( $now > $static::START_OFF_TIME ) && ( $now < $static::END_OFF_TIME ) } {
            HTTP::respond 200 content "Maintenance ModeMaintenance mode..."
        }
    
    }
    
  • Stan,

    We need to run this irule on the specific site only, but the below irule which i created is blocking the parent site. We need to allow access to the parent without time constrain, and block access for one of the site with the below irule.

    when RULE_INIT {
        set static::START_OFF_TIME [clock scan "05:30 AM"]
        set static::END_OFF_TIME [clock scan "01:00 PM"]
    }
    
    when HTTP_REQUEST {
        set now [clock seconds]
        set current_day [clock format [clock seconds] -format {%u}]
    
    if { ([string tolower [HTTP::uri]] contains "/contractor/") && ($current_day > 1 ) && ($current_day < 4 ) && ( $now > $static::START_OFF_TIME ) && ( $now < $static::END_OFF_TIME ) } {
            pool POOL_443
        }
        elseif {([string tolower [HTTP::uri]] contains "/contractor/") && ($current_day == 7 ) && ( $now > $static::START_OFF_TIME ) && ( $now < $static::END_OFF_TIME ) } {
            pool POOL_443
        }
     elseif {
            HTTP::respond 200 content "Not Authorised! Contact AdministratorNot Authorised! Contact Administrator..."
    }
    
    }
    
    • Ashu_Aggarwal's avatar
      Ashu_Aggarwal
      Icon for Cirrus rankCirrus

       Hi I have a similar requirement where i have to restrict the VS access to a IP subnet for a particular window. Were you able to make it work? If so can you please share the i-rule?

       

      Thanks

      Ashu

      • jaikumar_f5's avatar
        jaikumar_f5
        Icon for MVP rankMVP

        You could rather open a new thread, it would have more visibility.

  • You can try something like that:

    when RULE_INIT {
        array set static::timerange {
            1 {"05:30" "13:00"}
            2 {"05:30" "13:00"}
            3 {"05:30" "13:00"}
            4 {"05:30" "13:00"}
            5 {"00:00" "00:00"}
            6 {"00:00" "00:00"}
            7 {"05:30" "13:00"}
        }
    }
    
    when HTTP_REQUEST {
        if { ([string tolower [HTTP::uri]] contains "/contractor/") } {    
            set now [clock seconds]
            set current_day [clock format $now -format {%u}]
            lassign $static::timerange($current_day) start end
            if {($now >= [clock scan $start]) && ($now < [clock scan $end])} {
                set denied 0
            } else {set denied 1}
        } else {set denied 0}
    
        if { $denied } {
            HTTP::respond 200 content "Not Authorised! Contact AdministratorNot Authorised! Contact Administrator..."
        } else {pool POOL_443}
    }
    

    you can also use day name instead of number in array...

    • Ashu_Aggarwal's avatar
      Ashu_Aggarwal
      Icon for Cirrus rankCirrus

       : Hi, I have a similar requirement & when trying the above i-rule it looks like it blocks the access but it doesn't pick/sync with the system clock. It just keep denying the requests. Can you please suggest?

       

      Rgds/Ashu

      • Stan_PIRON_F5's avatar
        Stan_PIRON_F5
        Icon for Employee rankEmployee

        I don't remember if this code used GMT or local timezone..

         

        The comment I wrote above says lassign is not supported... try the code above.

  • The lassign command does not work in irule.

     

    The following code may solve this issue.

     

    when RULE_INIT {
        array set static::timerange {
            Sunday {"05:30" "13:00"}
            Monday {"05:30" "13:00"}
            Tuesday {"05:30" "13:00"}
            Wednesday {"05:30" "13:00"}
            Thursday {"05:30" "13:00"}
            Friday {}
            Saturday {}
        }
    }
    
    when HTTP_REQUEST {
        if { ([string tolower [HTTP::uri]] contains "/contractor/") } {    
            set now [clock seconds]
            set current_day [clock format $now -format {%A}]
            set start [lindex $static::timerange($current_day) 0]
            set end [lindex $static::timerange($current_day) 1]
            if {($start ne "") && ($end ne "") && ($now >= [clock scan $start]) && ($now < [clock scan $end])} {
                set denied 0
            } else {set denied 1}
            unset start end
        } else {set denied 0}
    
        if { $denied } {
            HTTP::respond 200 content "Not Authorised! Contact AdministratorNot Authorised! Contact Administrator..."
        } else {pool POOL_443}
        unset denied
    }
  • Stan,

    Thanks for the rule, but in your rule the Second condition when HTTP_REQUEST is not being executed. i have created the below rule which is working fine but i need to add one more condition (if { ( [class match [IP::remote_addr] equals clntip]). this condition when i add in the below rule it is not working, remaining the rule is working fine.

    Kindly advice.

    when RULE_INIT {
        set static::START_OFF_TIME [clock scan "05:30 AM"]
        set static::END_OFF_TIME [clock scan "04:00 PM"]
    }
    
    when HTTP_REQUEST {
        set now [clock seconds]
        set current_day [clock format [clock seconds] -format {%u}] }
    
        if { not ([string tolower [HTTP::uri]] contains "/contracts/")  } { 
            pool POOL_443 
            }
         elseif { ([class match [IP::remote_addr] equals clntip]) && ([string tolower [HTTP::uri]] contains "/contracts/") && ($current_day >= 1 )  && ($current_day < 4 ) && ( $now > $static::START_OFF_TIME ) && ( $now < $static::END_OFF_TIME ) } {
            pool POOL_443
            }
        elseif { ([class match [IP::remote_addr] equals clntip]) && ([string tolower [HTTP::uri]] contains "/contracts/") && ($current_day == 7 ) && ( $now > $static::START_OFF_TIME ) && ( $now < $static::END_OFF_TIME ) && ( [class match [IP::remote_addr] equals clntip]) } {
            pool POOL_443
            }
        elseif { ([string tolower [HTTP::uri]] contains "/contracts/") && ($current_day == 5 ) or ($current_day == 6 ) } {
            HTTP::respond 200 content "Weekend!Its a Weekend! Contact Administrator..."
            }   
     else {
            HTTP::respond 200 content "Not Authorised!Not Authorised! Contact Administrator..."
    }
    
    }
    
  • Hi,

    In the first irule I provided, there was an issue ...

    if executing clock scan in RULE_INIT, the date will stay the day the irule was last modified or service restarted.

    Try this irule :

    when RULE_INIT {
        array set static::timerange {
            Sunday {"05:30" "16:00"}
            Monday {"05:30" "16:00"}
            Tuesday {"05:30" "16:00"}
            Wednesday {"05:30" "16:00"}
            Thursday {"05:30" "16:00"}
            Friday {}
            Saturday {}
        }
    }
    
    when HTTP_REQUEST {
        if { ([string tolower [HTTP::uri]] contains "/contractor/") } {
            if {!([class match [IP::remote_addr] equals clntip])} {set denied 1}
            set now [clock seconds]
            set current_day [clock format $now -format {%A}]
            set start [lindex $static::timerange($current_day) 0]
            set end [lindex $static::timerange($current_day) 1]
            if {($start ne "") && ($end ne "") && ($now >= [clock scan $start]) && ($now < [clock scan $end])} {
                set denied 0
            } else {set denied 1}
            unset start end
        } else {set denied 0}
    
        if { $denied } {
            HTTP::respond 200 content "Not Authorised! Contact AdministratorNot Authorised! Contact Administrator..."
        } else {pool POOL_443}
        unset denied
    }
    
  • Hi ibrahim,

    the following irule may work :

    when RULE_INIT {
        array set static::timerange {
            Sunday {"05:30" "16:00"}
            Monday {"05:30" "16:00"}
            Tuesday {"05:30" "16:00"}
            Wednesday {"05:30" "16:00"}
            Thursday {"05:30" "16:00"}
            Friday {}
            Saturday {}
        }
    }
    
    when HTTP_REQUEST {
        if { ([string tolower [HTTP::uri]] contains "/contractor/") } {
            if {!([class match [IP::remote_addr] equals clntip])} {
                set denied 1
            } else {
                set now [clock seconds]
                set current_day [clock format $now -format {%A}]
                set start [lindex $static::timerange($current_day) 0]
                set end [lindex $static::timerange($current_day) 1]
                if {($start ne "") && ($end ne "") && ($now >= [clock scan $start]) && ($now < [clock scan $end])} {
                    set denied 0
                } else {set denied 1}
                unset start end
            }
        } else {set denied 0}
    
        if { $denied } {
            HTTP::respond 200 content "Not Authorised! Contact AdministratorNot Authorised! Contact Administrator..."
        } else {pool POOL_443}
        unset denied
    }