Forum Discussion
NimbostratusIrule to inspect URI and then validate client is in allowed ip range?
Hello,
We are tying to write a simple Irule that will inspect uri to match a string and if that specific string matches, check that the client is coming from an allowed IP address range. We have tried multiple permutations with very little luck. Any help would be very much appreciated.
5 Replies
- Kevin_Stewart
Employee
Start with something like this:
when HTTP_REQUEST { if { ( [string tolower [HTTP::uri]] equals "/foo" ) and not ( [IP::addr [IP::client_addr] equals "10.0.0.0/8"] ) } { reject } } 
bbensten_8485Kevin,
Thanks for your help. We modified that Irule with specifics as follows:
when HTTP_REQUEST { if { ( [string tolower [HTTP::uri]] equals "/OpenAM/UI/Login?module=DataStore" ) and not ( [IP::addr [IP::client_addr] equals "173.0.0.0/8"] ) } { reject } }
This does not reject still for some reason. Any idea what we are missing?
- bbensten_8485I am sure the irule is being called because if I use the following, it works every time: when CLIENT_ACCEPTED { if { ! [IP::addr [IP::client_addr] equals 173.79.131.23/24] } { log local0. "Blocking [IP::client_addr]" reject } }
- bbensten_8485
This solved it.
when HTTP_REQUEST {
if {([HTTP::uri] contains "/OpenAM/UI/Login?module=DataStore")}{if { ! [IP::addr [IP::client_addr] equals 173.79.131.23/24] } { log local0. "Blocking [IP::client_addr]" reject }} }
IheartF5_45022Nacreous
If /OpenAM is at the beginning of the uri then 'starts_with' is more efficient on paper that 'contains'.
