Forum Discussion
Shiraz
Altostratus
AltostratusIrule to block access of VS on specific days
Dears,
I am able to restrict the access to Virtual Server by providing the static time by using the below irule. However, I also want to use this irule to restrict the access on weekends.
when RULE_INIT {
set current_day [clock format [clock seconds] -format {%a} ]
set static::START_OFF_TIME "05:30 AM"
set static::END_OFF_TIME "01:00 PM"
}
when HTTP_REQUEST {
set start_off_time [clock scan $static::START_OFF_TIME]
set end_off_time [clock scan $static::END_OFF_TIME]
set now [clock seconds]
if { ( [expr $now > $start_off_time] ) and ( [expr $now < $end_off_time] ) } {
HTTP::respond 200 content "Maintenance ModeMaintenance mode..."
}
}
Stanislas_Piro2Cumulonimbus
Hi,
current_day may not be defined in RULE_INIT but in HTTP_REQUEST.
you can filter on day number (1-7) and not day name (Monday,...) with command :
set current_day [clock format [clock seconds] -format {%u}]The irule become:
when RULE_INIT { set static::START_OFF_TIME [clock scan "05:30 AM"] set static::END_OFF_TIME [clock scan "01:00 PM"] } when HTTP_REQUEST { set now [clock seconds] set current_day [clock format [clock seconds] -format {%u}] if { ($current_day < 6 ) && ( $now > $static::START_OFF_TIME ) && ( $now < $static::END_OFF_TIME ) } { HTTP::respond 200 content "Maintenance ModeMaintenance mode..." } }
Ibrahim_KadiriNimbostratus
Stan,
We need to run this irule on the specific site only, but the below irule which i created is blocking the parent site. We need to allow access to the parent without time constrain, and block access for one of the site with the below irule.
when RULE_INIT { set static::START_OFF_TIME [clock scan "05:30 AM"] set static::END_OFF_TIME [clock scan "01:00 PM"] } when HTTP_REQUEST { set now [clock seconds] set current_day [clock format [clock seconds] -format {%u}] if { ([string tolower [HTTP::uri]] contains "/contractor/") && ($current_day > 1 ) && ($current_day < 4 ) && ( $now > $static::START_OFF_TIME ) && ( $now < $static::END_OFF_TIME ) } { pool POOL_443 } elseif {([string tolower [HTTP::uri]] contains "/contractor/") && ($current_day == 7 ) && ( $now > $static::START_OFF_TIME ) && ( $now < $static::END_OFF_TIME ) } { pool POOL_443 } elseif { HTTP::respond 200 content "Not Authorised! Contact AdministratorNot Authorised! Contact Administrator..." } }
Ashu_AggarwalCirrus
Hi I have a similar requirement where i have to restrict the VS access to a IP subnet for a particular window. Were you able to make it work? If so can you please share the i-rule?
Thanks
Ashu
jaikumar_f5MVP
You could rather open a new thread, it would have more visibility.
- Stanislas_Piro2
You can try something like that:
when RULE_INIT { array set static::timerange { 1 {"05:30" "13:00"} 2 {"05:30" "13:00"} 3 {"05:30" "13:00"} 4 {"05:30" "13:00"} 5 {"00:00" "00:00"} 6 {"00:00" "00:00"} 7 {"05:30" "13:00"} } } when HTTP_REQUEST { if { ([string tolower [HTTP::uri]] contains "/contractor/") } { set now [clock seconds] set current_day [clock format $now -format {%u}] lassign $static::timerange($current_day) start end if {($now >= [clock scan $start]) && ($now < [clock scan $end])} { set denied 0 } else {set denied 1} } else {set denied 0} if { $denied } { HTTP::respond 200 content "Not Authorised! Contact AdministratorNot Authorised! Contact Administrator..." } else {pool POOL_443} }you can also use day name instead of number in array...
- Ashu_Aggarwal
: Hi, I have a similar requirement & when trying the above i-rule it looks like it blocks the access but it doesn't pick/sync with the system clock. It just keep denying the requests. Can you please suggest?
Rgds/Ashu
Stan_PIRON_F5Employee
I don't remember if this code used GMT or local timezone..
The comment I wrote above says lassign is not supported... try the code above.
- Stanislas_Piro2
The lassign command does not work in irule.
The following code may solve this issue.
when RULE_INIT { array set static::timerange { Sunday {"05:30" "13:00"} Monday {"05:30" "13:00"} Tuesday {"05:30" "13:00"} Wednesday {"05:30" "13:00"} Thursday {"05:30" "13:00"} Friday {} Saturday {} } } when HTTP_REQUEST { if { ([string tolower [HTTP::uri]] contains "/contractor/") } { set now [clock seconds] set current_day [clock format $now -format {%A}] set start [lindex $static::timerange($current_day) 0] set end [lindex $static::timerange($current_day) 1] if {($start ne "") && ($end ne "") && ($now >= [clock scan $start]) && ($now < [clock scan $end])} { set denied 0 } else {set denied 1} unset start end } else {set denied 0} if { $denied } { HTTP::respond 200 content "Not Authorised! Contact AdministratorNot Authorised! Contact Administrator..." } else {pool POOL_443} unset denied } - Ibrahim_Kadiri
Stan,
Thanks for the rule, but in your rule the Second condition when HTTP_REQUEST is not being executed. i have created the below rule which is working fine but i need to add one more condition (if { ( [class match [IP::remote_addr] equals clntip]). this condition when i add in the below rule it is not working, remaining the rule is working fine.
Kindly advice.
when RULE_INIT { set static::START_OFF_TIME [clock scan "05:30 AM"] set static::END_OFF_TIME [clock scan "04:00 PM"] } when HTTP_REQUEST { set now [clock seconds] set current_day [clock format [clock seconds] -format {%u}] } if { not ([string tolower [HTTP::uri]] contains "/contracts/") } { pool POOL_443 } elseif { ([class match [IP::remote_addr] equals clntip]) && ([string tolower [HTTP::uri]] contains "/contracts/") && ($current_day >= 1 ) && ($current_day < 4 ) && ( $now > $static::START_OFF_TIME ) && ( $now < $static::END_OFF_TIME ) } { pool POOL_443 } elseif { ([class match [IP::remote_addr] equals clntip]) && ([string tolower [HTTP::uri]] contains "/contracts/") && ($current_day == 7 ) && ( $now > $static::START_OFF_TIME ) && ( $now < $static::END_OFF_TIME ) && ( [class match [IP::remote_addr] equals clntip]) } { pool POOL_443 } elseif { ([string tolower [HTTP::uri]] contains "/contracts/") && ($current_day == 5 ) or ($current_day == 6 ) } { HTTP::respond 200 content "Weekend!Its a Weekend! Contact Administrator..." } else { HTTP::respond 200 content "Not Authorised!Not Authorised! Contact Administrator..." } } - Stanislas_Piro2
Hi,
In the first irule I provided, there was an issue ...
if executing clock scan in RULE_INIT, the date will stay the day the irule was last modified or service restarted.
Try this irule :
when RULE_INIT { array set static::timerange { Sunday {"05:30" "16:00"} Monday {"05:30" "16:00"} Tuesday {"05:30" "16:00"} Wednesday {"05:30" "16:00"} Thursday {"05:30" "16:00"} Friday {} Saturday {} } } when HTTP_REQUEST { if { ([string tolower [HTTP::uri]] contains "/contractor/") } { if {!([class match [IP::remote_addr] equals clntip])} {set denied 1} set now [clock seconds] set current_day [clock format $now -format {%A}] set start [lindex $static::timerange($current_day) 0] set end [lindex $static::timerange($current_day) 1] if {($start ne "") && ($end ne "") && ($now >= [clock scan $start]) && ($now < [clock scan $end])} { set denied 0 } else {set denied 1} unset start end } else {set denied 0} if { $denied } { HTTP::respond 200 content "Not Authorised! Contact AdministratorNot Authorised! Contact Administrator..." } else {pool POOL_443} unset denied } - Stanislas_Piro2
Hi ibrahim,
the following irule may work :
when RULE_INIT { array set static::timerange { Sunday {"05:30" "16:00"} Monday {"05:30" "16:00"} Tuesday {"05:30" "16:00"} Wednesday {"05:30" "16:00"} Thursday {"05:30" "16:00"} Friday {} Saturday {} } } when HTTP_REQUEST { if { ([string tolower [HTTP::uri]] contains "/contractor/") } { if {!([class match [IP::remote_addr] equals clntip])} { set denied 1 } else { set now [clock seconds] set current_day [clock format $now -format {%A}] set start [lindex $static::timerange($current_day) 0] set end [lindex $static::timerange($current_day) 1] if {($start ne "") && ($end ne "") && ($now >= [clock scan $start]) && ($now < [clock scan $end])} { set denied 0 } else {set denied 1} unset start end } } else {set denied 0} if { $denied } { HTTP::respond 200 content "Not Authorised! Contact AdministratorNot Authorised! Contact Administrator..." } else {pool POOL_443} unset denied }