Forum Discussion

Sanal_Babu's avatar
Sanal_Babu
Icon for Altostratus rankAltostratus
Jan 17, 2016

iRule_urls/allow/block/restrict

Can anyone please help to create an irule for below requirement.   I have created two datagroups in my f5 for source ip as well as url list   IP data group name : allowed_IP URL data group ...
application delivery
iRules
Kai_Wilke's avatar
Kai_Wilke
Icon for MVP rankMVP
Jan 17, 2016

Hi Sanalbabu,

 

I've written two different versions for you, to optimize the performance based on your expected request pattern. So please estimate your expected request pattern and then either use the outlined iRules of senario1 or scenario2.

 

Scenario1

 

The iRule below should be used, if you expect many request to trigger the IP-based allow list for /xyz.

 

when CLIENT_ACCEPTED {
    if { [class match [IP::client_addr] equals DataGroup_ALLOWED_IP_ADDR] } then {
        set my_trusted_clients 1
    } else {
        set my_trusted_clients 0
    }
}
when HTTP_REQUEST {
    if { [string tolower [HTTP::host]] equals "www.abc.com" } then {
        set low_uri [string tolower [HTTP::uri]]
        if { [class match $low_uri starts_with Datagroup_ALLOWED_URIs] } then {
             You may insert additional iRule code here, to handle request to the explicitly allowed sub-sites
        } elseif { $low_uri starts_with "/xyz" } then {
            if { $my_trusted_clients } then {
                 You may insert additional iRule code here, to handle request for the explicitly allowed client IPs
            } else {
                 Insert your block code here, to handle the blocked requests
                
                 Below are some examples...
                
                 1.) Sending a redirect
                 HTTP::redirect "http://www.somesite.com/errorpage.html"
                
                 2.) Sending a errorpage
                 HTTP::respond 403 content "Access denied"
            }
        } else {
             You may insert additional iRule code here, to handle request to other sub-sites
        }
    } else {
         You may insert additional iRule code here, to handle request to other sites
    }
}

Scenario2

 

The iRule below should be used, if you expect just a few request to trigger the IP-based allow list for /xyz.

 

when HTTP_REQUEST {
    if { [string tolower [HTTP::host]] equals "www.abc.com" } then {
        set low_uri [string tolower [HTTP::uri]]
        if { [class match $low_uri starts_with Datagroup_ALLOWED_URIs] } then {
             You may insert additional iRule code here, to handle request to the explicitly allowed sub-sites
        } elseif { $low_uri starts_with "/xyz" } then {
            if { [class match [IP::client_addr] equals DataGroup_ALLOWED_IP_ADDR] } then {
                 You may insert additional iRule code here, to handle request for the explicitly allowed client IPs
            } else {
                 Insert your block code here, to handle the blocked requests
                
                 Below are some examples...
                
                 1.) Sending a redirect
                 HTTP::redirect "http://www.somesite.com/errorpage.html"
                
                 2.) Sending a errorpage
                 HTTP::respond 403 content "Access denied"
            }
        } else {
             You may insert additional iRule code here, to handle request to other sub-sites
        }
    } else {
         You may insert additional iRule code here, to handle request to other sites
    }
}

Cheers, Kai