Forum Discussion
hooleylist
Aug 04, 2011Cirrostratus
If you create an address type datagroup you can use an iRule like this. Keep in mind that users can insert any arbitrary header. So if someone knew you were using this kind of logic they could bypass it.
when HTTP_REQUEST {
Check if the XFF header is set and not null
if {[HTTP::header X-Netli-Forward-For] ne ""}{
Look up the value in the allowed_ips_class datagroup
if {not [class match [IP::client_addr] equals allowed_ips_class]}{
Reset the connection
reject
}
}
}
Aaron