F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

puluck's avatar
puluck
Icon for Cirrus rankCirrus
Dec 18, 2013

irule

Hi friends .I need to restritct only few user can access particular website on different port with same VIP.Can we do with rule by putting data group and attached that i rule to new VIp for same website with different port .few user should be allowed other should be denied .

 

application delivery
devops
iRules

3 Replies

  • puluck's avatar
    puluck
    Icon for Cirrus rankCirrus
    Dec 18, 2013

    I wanted to restrict client IP but for specific Port.So i have created new VIP with different port .so url will be something like https://www.abc.com: port/URI..

     

    with same VIP url are already running on 443 and 80 port; https://www.abc.com/Uri Hope i answer your query

     

  • Narendren_S's avatar
    Narendren_S
    Icon for Nimbostratus rankNimbostratus
    Dec 19, 2013

    Hi, If my understanding is correct, you have multiple VS with same VIP running on port 80, 443, and a new port.

     

    And your requirement is to restrict access for the VIP on new port.

     

    You can achieve this by below method. Create a DATAGROUP for the specific users which you are providing access.

     

    I tried out in TMSH with below codes

     

    Creating a Datagroup 
    ltm data-group DG1 {
records {
192.168.1.0/25{ }
        192.168.3.0/24{ }
    }
    type ip
}
    Associate and match the DATAGROUP in your iRule and set your policy whether to allow or deny 
    ltm rule AppAccess_1 {
    when HTTP_REQUEST {
if { ![matchclass [IP::remote_addr] equals $::DG1] } {
drop
}
}
}
    Associate the iRule to the virtual server 
    Create a VS with NEW_PORT_NUMBER
       ltm virtual vs_web1 {
        destination 10.10.10.1:NEW_PORT_NUMBER
        ip-protocol tcp
        mask 255.255.255.255
        pool webpool1
        profiles {
            http { }
            tcp { }
        }
         ASSOCIATING iRule 
        rules {
            AppAccess_1
        }
        
        snat automap
        vlans {
            outside
        }
        vlans-enabled
    }

    ---------------------------XXXXX--END--XXXXX-----------------------

     

    Same can be done at webgui,

     

    create a data group * Navigate to Local Traffic -> irules -> Data Group List

     

    Create a new Datagroup of type Address and add the hosts/network of your interested sources and finish

     

    create an irule and associate it with the data group

     

    • Navigate to Local Traffic -> irules -> irule list

    Create an irule with below code

     

    when HTTP_REQUEST {
    if { ![matchclass [IP::remote_addr] equals $::DG1] } {
    drop
    }
    }
    }

    Associating the irule with new virtual server

     

    • Navigate to Local Traffic -> Virtual Servers -> Virtual Server List

    Create your new virtual server and associate this irule under Resources tab of your new virtual server.

     

    Hope this will help you.