Forum Discussion
Mark_Burchard_5
Nimbostratus
NimbostratusiRule to limit access to webserver directory by client IP
Hi all,
First time posting here, and you'll probably laugh and shake your heads at this simple problem, but hopefully I'll learn. I have searched for similar iRules and can't seem to find them.
This is my issue: I'm looking to deny access by client ip to a certain directory on a site (eg. host.domain.tld/Example. For clients originating from the correct IP range(s), it would pass them through. For those outside the allowed range, it would redirect them to the site's base URI.
Here is what I have so far:
when HTTP_REQUEST {
if { [matchclass [HTTP::uri] contains "/Example"] }
if { [[IP::client_addr] not equals mask "10.0.0.0\24"] }
HTTP::respond 301 Location "http://host.domain.tld/"
}
The iRule validator has this to say about that rule:
line 3: [missing a script after "if"] [ ]
line 5: [missing a script after "if"] []
Am I even on the right track here? Has anybody ever tried to use an iRule this way?
Thanks very much in advance for any help you can give.
-Mark
Mark_Burchard_5Colin,
Your help is much appreciated. I'll be able to test this tonight during a maintenance window.
One last question, if I may: If I wanted to add a second or third IP range, how would I best insert that in the rule?
Thanks!
-Mark- JRahm
Admin
when HTTP_REQUEST { if { ( [ string tolower [HTTP::uri] ] starts_with "/example" ) and ( not ( [ matchclass [IP::client_addr] equals $::IPranges ] ) ) } { HTTP::redirect "http://host.domain.tld/" } }
(assumes ::IPranges is defined with your IP ranges) 
Guillaume_BrussI try thiswhen RULE_INIT { log local0. "Init redirect Https V2" array set ::http_allowed_ip_list { "10.0.0.11/12" "10.0.0.12/13" } } when HTTP_REQUEST { log local0. "IP [IP::client_addr] Tries to connect" if { ( not ( [ matchclass [IP::client_addr] equals $::http_allowed_ip_list ] ) ) } { HTTP::redirect https://[HTTP::host][HTTP::uri] } }
but I have an error
TCL error: Rule redirection_https_v2 - can't read "::http_allowed_ip_list": variable is array while executing "matchclass [IP::client_addr] equals $::http_allowed_ip_list
I suppose this is because I don't declare well my array
but it seems I have no error during init
any help appreciate
thanks- This is because you're defining an array when what you really want is a class.
You can define this in the GUI under the Data Groups section, or manually in the configuration file if you prefer, by stating a class outside of your iRule (just as you would define a VIP or a pool) like so:class http_allowed_ip_list { "10.0.0.11/12" "10.0.0.12/13" }
You should then be able to remove the array definition statement in your rule, and have the matchclass execute properly.
Colin - Guillaume_Brussthanks Collin
I create a 2 datagroup with GUI
one Datagroup of type "Address"
but I can't add Ip-range
One Datagroupe of type String
in wich I set
10.20.1.61/62
unfortunatly
the String Datagroup don't work with the precedent Rule
perhaps I make a mistake in the String format
Thanks again - In the GUI, if you create a data group and set the type to "Address", then under the Records section, you'll want to select "Network" as the type. This will display another field that allows you to enter the network mask along with the address.
HTH,
Colin - Derek_Nelson_10Hi.
Also note a pitfall that I discovered when trying to do similar to this...
If you are using an oneconnect profile, be aware that it is possible for the source ip address to be translated BEFORE the iRule processes the client source (by design of oneconnect).
For example if you want to allow access to the 10. /8 network make sure your oneconnect profile has a 8-bit mask or more, rather than the default of 0-bit mask. Otherwise it is possible for connections to the /Example page will be re-directed if they are piggy-backed into an existing idle connection to that virtual server from a host with a different source ip address range.
e.g. if host 1.2.3.4 connects to /index.html, the connection goes idle, and then host 10.1.2.3 connects to /Example and one-connect re-uses the connection, the source ip address of the 10.1.2.3 client will be changed to 1.2.3.4 and your iRule will re-direct them...
Cheers,
- Derek.
