F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Simon_Lodge's avatar
Simon_Lodge
Icon for Nimbostratus rankNimbostratus
Jul 27, 2016

iRule to restrict public users to a specific service URI, whilst allowing internal users to access anything they like (along with

Hi All,

 

First post, and i'm a relative newbie when it comes to iRules, so any assistance would be much appreciated.

 

I have a single VS that accepts connections from both public customers and internal service users, and i've had a request to stop Public users from accessing anything other than www.test.com/SelfService, whilst allowing internal users access to everything.

 

On top of the URI filtering/redirects required above, the requester also wants all requests (both public and private) to be redirected to HTTPS.

 

I thought that something along the lines of the below might work, but the iRule editor bombs out and my test LTM's (running TMOS 11.5.3) also aren't happy, so i'm looking for suggestions on how best to achieve the requirements listed above.

 

Suggested iRule

 

when CLIENT_ACCEPTED { if { [class match [IP::client_addr] equals DataGroup_PRIVATE_IP_ADDR] } then { set untrusted_clients 0 } else { set untrusted_clients 1 } } when HTTP_REQUEST { if { [string tolower [HTTP::host]] equals “test.com” } then { set low_uri [string tolower [HTTP::uri]] if { $untrusted_clients } then { HTTP::redirect "https://test.com/SelfService” } else { HTTP::redirect "https://test.com/[HTTP::uri] }

 

Your assistance would be much appreciated, as currently i'm pulling my hair out with this one.

 

application delivery
iRules

4 Replies

  • Hannes_Rapp_162's avatar
    Hannes_Rapp_162
    Icon for Nacreous rankNacreous
    Jul 27, 2016

    Untested, but the logic should work. Apply that iRule to your TCP/443 VS (test in QA first).

    when HTTP_REQUEST {
  if { not ([HTTP::path] eq "/SelfService" ) and not ([class match [IP::client_addr]] eq private_net ) }{
    HTTP::respond 302 noserver Location "https://[HTTP::host]/SelfService" Connection Close
  }
}

    To enforce the explicity use of HTTPS, just apply a HTTPS redirect iRule to your VS that's listening on TCP/80 port. You can use _sys_https_redirect (one of the default iRules). If you don't have a dedicated TCP/80 VS yet, I recommend to create one so that you have two Virtual Servers with the same IP, but with a different port number.

    • Simon_Lodge's avatar
      Simon_Lodge
      Icon for Nimbostratus rankNimbostratus
      Jul 27, 2016

      Fantastic,

       

      And thanks for such a quick response! I'll test with the client and update the thread with the results.

       

  • Hannes_Rapp's avatar
    Hannes_Rapp
    Icon for Nimbostratus rankNimbostratus
    Jul 27, 2016

    Untested, but the logic should work. Apply that iRule to your TCP/443 VS (test in QA first).

    when HTTP_REQUEST {
  if { not ([HTTP::path] eq "/SelfService" ) and not ([class match [IP::client_addr]] eq private_net ) }{
    HTTP::respond 302 noserver Location "https://[HTTP::host]/SelfService" Connection Close
  }
}

    To enforce the explicity use of HTTPS, just apply a HTTPS redirect iRule to your VS that's listening on TCP/80 port. You can use _sys_https_redirect (one of the default iRules). If you don't have a dedicated TCP/80 VS yet, I recommend to create one so that you have two Virtual Servers with the same IP, but with a different port number.

    • Simon_Lodge's avatar
      Simon_Lodge
      Icon for Nimbostratus rankNimbostratus
      Jul 27, 2016

      Fantastic,

       

      And thanks for such a quick response! I'll test with the client and update the thread with the results.