Forum Discussion
Glenn_32883
Nimbostratus
Nimbostratusirule to restrict access by ip
Hi everyone,
My irule experience is basically setting up some redirects. Now I am trying to set up a whitelist of IPs to restrict who can access a certain sub folder of our site. The rest of the site is available to the public.
I tried some of the examples I could find here and came up with this.
when HTTP_REQUEST {
if { ([HTTP::uri] starts_with "/epp") and ([matchclass [IP::remote_addr] equals $$epp-test]) } {
HTTP::redirect https://[HTTP::host][HTTP::uri]
} else {
drop }
}
I have a Data Group List called epp-test.
When I put this in place it seems to drop everything, whether I come from an IP on the list or not, and even if I am trying to access parts of my site not in "/epp"
Any suggestions would be greatly appreciated!
Glenn
hoolioCirrostratus
Hi Glenn,
If you check /var/log/ltm, you should see a TCL runtime error on every request because the datagroup epp can't be found. You could either replace the - with an _ in the datagroup name, or change your iRule to reference the datagroup as ${epp-test}. You can search the forums for "hyphen" and "datagroup" for more info.
Aaron
Michael_YatesActually I believe that it is your original iRule.
All traffic is passed through an iRule that is applied to a Virtual Server.
when HTTP_REQUEST {
if { ([HTTP::uri] starts_with "/epp") and ([matchclass [IP::remote_addr] equals $$epp-test]) } {
HTTP::redirect https://[HTTP::host][HTTP::uri]
} else {
drop }
}
You are telling it to look for an [HTTP::uri] of "/epp" and compare it to see if the IP Address of the client matches a list of IP Addresses contained in your Datagroup.
If it IS, then redirect it.
If it does not match the IF Statement, drop it. This includes everything else.
The drop includes all traffic other traffic (that doesn't get redirected by the first part of the iRule).
Try this. I believe it is what you are looking for.when HTTP_REQUEST { if { ([HTTP::uri] starts_with "/epp") and !([matchclass [IP::remote_addr] equals $::epp-test]) } { drop } elseif { ([HTTP::uri] starts_with "/epp") and ([matchclass [IP::remote_addr] equals $::epp-test]) } { HTTP::redirect https://[getfield [HTTP::host] ":" 1][HTTP::uri] } }
The first IF Statement looks for the "/epp" and sees if the Client IP Address matches the Datagroup List. If it does NOT (Note the exclamation point !([matchclass) then it drops it. If it DOES, then it goes to the next portion of the iRule.
The ELSEIF does the compare again and if you are in the Datagroup, it redirects you to go HTTPS.
You could also replace the Drop (Kind of harsh) with something like:
HTTP::respond 403
or
HTTP::redirect "/"
Hope this helps.- Glenn_32883Thanks for the input everyone! Just posting back what worked for me for future reference.
Wound up flipping the logic where if not on the list close, instead of redirecting if on the list. I changed to an underscore as well.
when HTTP_REQUEST {
if { ([HTTP::uri] starts_with "/epp") and ! ([matchclass [IP::remote_addr] equals $::epp_test]) } {
HTTP::close
}
}
Many thanks!
Glenn 
DaveC_53879Where and how are you defining $::epp_test? Thanks- nitass
Employee
Where and how are you defining $::epp_test?i understand it is a data group. it is under local traffic/irules/data group list in webui. in cli, it is called class.
e.g.[root@ve1023:Active] config b class epp_test list class epp_test { { host 1.1.1.1 network 20.20.20.0/24 } }
