Forum Discussion

L__G_'s avatar
L__G_
Icon for Altostratus rankAltostratus
Sep 28, 2017

Irules restrict access to an URI for only several IPs

Hello,

Could you help me with this irule and data-group (LTM : 10.2.3) ?

I want to restrict access to an URI (containing "TEST") for only few IPs. But it doesn't work. I catch the string "TEST" in the URI but i never go (and log) into PERMIT section.

ltm data-group TEST_AllowedAddresses {
    partition IN-PARTITION
    records {
        10.20.30.1%1/32 {
            data host1
        }
        10.30.40.1%1/32 {
            data host2
        }
        10.20.30.2%1/32 {
            data host4
        }
        10.20.40.5%1/32 {
            data host3
        }
    }
    type ip
}

when HTTP_REQUEST {
    if { [HTTP::uri] contains "TEST" } {

        log local0. "[IP::client_addr] URI CONTAINS TEST"

        if { [class match [IP::client_addr] equals TEST_AllowedAddresses] } {
            log local0. "[IP::client_addr] PERMIT"
            pool pool-www.site.com
        }
        else {
            log local0. "[IP::client_addr] REDIRECT"
            HTTP::redirect http://www.perdu.com
        }
    }
    else {
        log local0. "[IP::client_addr] URI DO NOT CONTAINS TEST"
        pool pool-www.site.com
    }
}

Here are the logs :

Sep 27 18:09:51 local/tmm1 info tmm1[5093]: Rule TEST-restrict : 10.20.30.1%1 URI CONTAINS TEST
Sep 27 18:09:51 local/tmm1 info tmm1[5093]: Rule TEST-restrict : 10.20.30.1%1 REDIRECT
iRules
LTM
security
  • Lee_Sutcliffe's avatar
    Lee_Sutcliffe
    Icon for Nacreous rankNacreous
    Sep 28, 2017

    Try removing the /32 from the datagroup as this isn't included in the request from the client and changing the type to string:

    ltm data-group TEST_AllowedAddresses {
    partition IN-PARTITION
    records {
        10.20.30.1%1 { }
        10.30.40.1%1 { }
        10.20.30.2%1 { }
        10.20.40.5%1 { }
    }
    type string
}