For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

P_Shepherd_1790's avatar
P_Shepherd_1790
Icon for Nimbostratus rankNimbostratus
Sep 11, 2018

iRule to block access to folders within IIS

Hi I have an issue with an iRule working in a Virtual LAB environment but when applied to the live environment it behaves differently. The difference between the Virtual LAB and the live is the I...
application delivery
iRules
Lee_Sutcliffe's avatar
Lee_Sutcliffe
Icon for Nacreous rankNacreous
Sep 12, 2018

You could do this more simply using datagroups. Define your folders in one datagroup 'folder_dg' and your internal ip addresses in another 'internal_ips'

The iRule will check if the URI contains anything in the datagroup 'folder_dg', if the IP is not internal (not in the internal_ip) datagroup. The connection will be rejected. You do not need to define the NAT IPs as you want to block all other IPs anyway

For example:

ltm data-group internal folder_dg {
    records {
        _vti_bin {}
        _layouts {}
        _windows {}
    }
    type string
}

ltm data-group internal internal_ips {
    records {
        10.10.200.0/24 {}
        10.10.201.0/24 {}
    }
    type ip
}

when HTTP_REQUEST {
    if {[class match [HTTP::uri] contains folder_dg]} {
        if {!([class match [IP::addr [IP::client_addr]] equals internal_ips])} {
            reject
        }
    }
}