Forum Discussion
Glenn_32883
Nimbostratus
Nimbostratusirule to restrict access by ip
Hi everyone,
My irule experience is basically setting up some redirects. Now I am trying to set up a whitelist of IPs to restrict who can access a certain sub folder of our site. The rest ...
Michael_YatesNimbostratus
NimbostratusActually I believe that it is your original iRule.
All traffic is passed through an iRule that is applied to a Virtual Server.
when HTTP_REQUEST {
if { ([HTTP::uri] starts_with "/epp") and ([matchclass [IP::remote_addr] equals $$epp-test]) } {
HTTP::redirect https://[HTTP::host][HTTP::uri]
} else {
drop }
}
You are telling it to look for an [HTTP::uri] of "/epp" and compare it to see if the IP Address of the client matches a list of IP Addresses contained in your Datagroup.
If it IS, then redirect it.
If it does not match the IF Statement, drop it. This includes everything else.
The drop includes all traffic other traffic (that doesn't get redirected by the first part of the iRule).
Try this. I believe it is what you are looking for.
when HTTP_REQUEST {
if { ([HTTP::uri] starts_with "/epp") and !([matchclass [IP::remote_addr] equals $::epp-test]) } {
drop
}
elseif { ([HTTP::uri] starts_with "/epp") and ([matchclass [IP::remote_addr] equals $::epp-test]) } {
HTTP::redirect https://[getfield [HTTP::host] ":" 1][HTTP::uri]
}
}
The first IF Statement looks for the "/epp" and sees if the Client IP Address matches the Datagroup List. If it does NOT (Note the exclamation point !([matchclass) then it drops it. If it DOES, then it goes to the next portion of the iRule.
The ELSEIF does the compare again and if you are in the Datagroup, it redirects you to go HTTPS.
You could also replace the Drop (Kind of harsh) with something like:
HTTP::respond 403
or
HTTP::redirect "/"
Hope this helps.
