Forum Discussion
Nimbostratuslimit access from source 192.168.1.1 to single URL and permit all others
Dears,
I'm trying to write an irule that limit access from source 192.168.1.1 to single url : else permit to all.When applying the below on VS its not working anymore. it should be when http_request or when_client_accepted ?
when HTTP_REQUEST { if { !([HTTP::uri] equals "; and [IP::client_addr] equals "192.168.1.1/32" ) } { reject }
}
14 Replies
Lee_SutcliffeNacreous
Updated to compensate for route domains
The event will have to be HTTP_REQUEST as you are reading the URI. You were almost there with your attempt, please try the following:
when HTTP_REQUEST { if {[IP::client_addr] contains "192.168.100.201"}{ if {[string tolower [HTTP::uri]] ne "/cvs/chn.website.cvs.account_1.0?wsdl"} { reject } } }
Daniel_VarelaEmployee
irules don't use semicolon. I think this is more what you want to do:
when HTTP_REQUEST { if { ([HTTP::uri] ne "/test") and ([IP::client_addr] equals "192.168.1.1" ) } { reject } }
HTTP::uri will return just the uri without the hostname.
aboulleill_3013Dears,
I just applied this on live environment :
when HTTP_REQUEST { if {!([HTTP::uri] equals "/cvs/chn.website.cvs.Account_1.0?wsdl") and ([IP::client_addr] equals "192.168.100.201")} { reject }
but 192.168.100.201 is still able to access everything. the urls in question are https://
- Daniel_Varela
You are blocking all the URLs except "/cvs/chn.website.cvs.Account_1.0?wsdl" to that IP. Adjust the first comparison to get what you expect. I think in your case is [HTTP::uri] ne "/cvs/chn.website.cvs.Account_1.0?wsdl"
- Emre_Ovali_1466
Cirrus
Hi aboulleill,
Could you please try to use this irule?
when HTTP_REQUEST { if {[IP::client_addr] equals "192.168.100.201" }{ if {[string tolower [HTTP::uri]] equals "/cvs/chn.website.cvs.account_1.0?wsdl" } { drop } } } - aboulleill_3013
Dears,
I'm trying to block all URLs except "/cvs/chn.website.cvs.Account_1.0?wsdl" to source IP address 192.168.100.201.But until now 192.168.100.201 is still able to access other URLs like if the irule doesn't exists (trying below two irules codes):
https://prodfmw-osb.bm.com.lb/OmegaIntegration/proxy/BankMedOmegaIntegrationWS?wsdl (still opening not a normal behavior)
https://prodfmw-osb.bm.com.lb/cvs/chn.website.cvs.Account_1.0?wsdl (still opening its normal)
irule 1 :when HTTP_REQUEST { if {[IP::client_addr] equals "192.168.100.201" }{ if {[string tolower [HTTP::uri]] ne "/cvs/chn.website.cvs.account_1.0?wsdl" } { drop } } }
irule 2 :when HTTP_REQUEST { if { ([HTTP::uri] ne "prodfmw-osb.bm.com.lb/cvs/chn.website.cvs.Account_1.0?wsdl") and ([IP::client_addr] equals "192.168.100.201")} { reject } }
- Emre_Ovali_1466
You should use the "not" only for the beginning of the if sentece
when HTTP_REQUEST { if {[IP::client_addr] equals "192.168.100.201" }{ if {not ([string tolower [HTTP::uri]] equals "/cvs/chn.website.cvs.account_1.0?wsdl") } { drop } } } - Daniel_Varela
Add some debugging to your irule as well:
when HTTP_REQUEST { log local0. "URI: [HTTP::uri]" log local0. "IP: [IP::client_addr]" if { ([HTTP::uri] ne "prodfmw-osb.bm.com.lb/cvs/chn.website.cvs.Account_1.0?wsdl") and ([IP::client_addr] equals "192.168.100.201")} { reject } }The URI you have in the log have to be the same you have in your if.
- aboulleill_3013
Dears,
Still not working...
Best Regards, Ralph El Haber
- Daniel_Varela
Hi Ralph, Please add debugging and post it here otherwise is really difficult to see where is the problem. You can find that by executing tail -f /var/log/ltm in rhe command line.
when HTTP_REQUEST { log local0. "URI: [HTTP::uri]" log local0. "IP: [IP::client_addr]" if { ([HTTP::uri] ne "/cvs/chn.website.cvs.Account_1.0?wsdl") and ([IP::client_addr] equals "192.168.100.201")} { reject } }Some notes: HTTP::uri does not return the hostname but it will include all the parameters in the URL. The irule won't work unless the URI is an exact match. Try to chuck the irule in smallest pieces and verify if the functionality separately.
