For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Mark_Burchard_5's avatar
Mark_Burchard_5
Icon for Nimbostratus rankNimbostratus
Mar 21, 2006

iRule to limit access to webserver directory by client IP

Hi all,

 

 

First time posting here, and you'll probably laugh and shake your heads at this simple problem, but hopefully I'll learn. I have searched for similar iRules and can't seem to find them.

 

 

This is my issue: I'm looking to deny access by client ip to a certain directory on a site (eg. host.domain.tld/Example. For clients originating from the correct IP range(s), it would pass them through. For those outside the allowed range, it would redirect them to the site's base URI.

 

 

Here is what I have so far:

 

 

 

when HTTP_REQUEST {

 

 

if { [matchclass [HTTP::uri] contains "/Example"] }

 

 

if { [[IP::client_addr] not equals mask "10.0.0.0\24"] }

 

 

HTTP::respond 301 Location "http://host.domain.tld/"

 

 

}

 

 

 

The iRule validator has this to say about that rule:

 

 

line 3: [missing a script after "if"] [ ]

 

line 5: [missing a script after "if"] []

 

 

 

Am I even on the right track here? Has anybody ever tried to use an iRule this way?

 

 

Thanks very much in advance for any help you can give.

 

 

-Mark

 

 

 

application delivery
dev
devops
iRules

7 Replies

  • Mark_Burchard_5's avatar
    Mark_Burchard_5
    Icon for Nimbostratus rankNimbostratus
    Mar 22, 2006
    Colin,

     

     

    Your help is much appreciated. I'll be able to test this tonight during a maintenance window.

     

     

    One last question, if I may: If I wanted to add a second or third IP range, how would I best insert that in the rule?

     

     

    Thanks!

     

     

    -Mark

     

     

  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Mar 22, 2006

    
when HTTP_REQUEST {
  if { ( [ string tolower [HTTP::uri] ] starts_with "/example" ) and  ( not ( [ matchclass [IP::client_addr] equals $::IPranges ]  ) ) } {
      HTTP::redirect "http://host.domain.tld/"
  }
}

    (assumes ::IPranges is defined with your IP ranges)
  • Guillaume_Bruss's avatar
    Guillaume_Bruss
    Icon for Nimbostratus rankNimbostratus
    Apr 10, 2006
    I try this 

    
when RULE_INIT {
log local0. "Init redirect Https V2" 
  array set ::http_allowed_ip_list { 
"10.0.0.11/12"
"10.0.0.12/13"
  }
}
when HTTP_REQUEST {
log local0. "IP [IP::client_addr] Tries to connect" 
if { ( not ( [ matchclass [IP::client_addr] equals $::http_allowed_ip_list ]  ) ) } {
    HTTP::redirect https://[HTTP::host][HTTP::uri]
}
}

    but I have an error

    TCL error: Rule redirection_https_v2 - can't read "::http_allowed_ip_list": variable is array while executing "matchclass [IP::client_addr] equals $::http_allowed_ip_list

    I suppose this is because I don't declare well my array

    but it seems I have no error during init

    any help appreciate

    thanks

  • Colin_Walker_12's avatar
    Colin_Walker_12
    Historic F5 Account
    Apr 10, 2006
    This is because you're defining an array when what you really want is a class.

    You can define this in the GUI under the Data Groups section, or manually in the configuration file if you prefer, by stating a class outside of your iRule (just as you would define a VIP or a pool) like so:

    
class http_allowed_ip_list {
  "10.0.0.11/12"
  "10.0.0.12/13"
}

    You should then be able to remove the array definition statement in your rule, and have the matchclass execute properly.

    Colin
  • Guillaume_Bruss's avatar
    Guillaume_Bruss
    Icon for Nimbostratus rankNimbostratus
    Apr 11, 2006
    thanks Collin

     

    I create a 2 datagroup with GUI

     

     

    one Datagroup of type "Address"

     

    but I can't add Ip-range

     

     

    One Datagroupe of type String

     

    in wich I set

     

     

    10.20.1.61/62

     

     

    unfortunatly

     

     

    the String Datagroup don't work with the precedent Rule

     

     

    perhaps I make a mistake in the String format

     

     

    Thanks again
  • Colin_Walker_12's avatar
    Colin_Walker_12
    Historic F5 Account
    Apr 25, 2006
    In the GUI, if you create a data group and set the type to "Address", then under the Records section, you'll want to select "Network" as the type. This will display another field that allows you to enter the network mask along with the address.

     

     

    HTH,

     

    Colin
  • Derek_Nelson_10's avatar
    Derek_Nelson_10
    Icon for Nimbostratus rankNimbostratus
    May 18, 2006
    Hi.

     

     

    Also note a pitfall that I discovered when trying to do similar to this...

     

     

    If you are using an oneconnect profile, be aware that it is possible for the source ip address to be translated BEFORE the iRule processes the client source (by design of oneconnect).

     

     

    For example if you want to allow access to the 10. /8 network make sure your oneconnect profile has a 8-bit mask or more, rather than the default of 0-bit mask. Otherwise it is possible for connections to the /Example page will be re-directed if they are piggy-backed into an existing idle connection to that virtual server from a host with a different source ip address range.

     

     

    e.g. if host 1.2.3.4 connects to /index.html, the connection goes idle, and then host 10.1.2.3 connects to /Example and one-connect re-uses the connection, the source ip address of the 10.1.2.3 client will be changed to 1.2.3.4 and your iRule will re-direct them...

     

     

    Cheers,

     

    - Derek.