For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

elastic_82555's avatar
elastic_82555
Icon for Nimbostratus rankNimbostratus
Mar 25, 2013

name based virtual host redirection with allowed ip addresses

Hi,   I am new to irules and F5 in general, and would apprciate some advice. I have a single ip address connecting the F5 to the internet, so I am using a name based virtual host irule...
application delivery
dev
devops
iRules
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Mar 26, 2013
I can see a few alternatives, depending on your intentions.

If the source IP restriction is the same for all, I'll put that at the start of your one HTTP_REQUEST event: 


when HTTP_REQUEST {
   if { [class match [IP::client_addr] equals external_address ] } {
      switch [string tolower [HTTP::host]] {
         "site1.domain.com" { pool scm1_https_pool }
         default { reject }
      }
   } else {
      drop
   }
}

You don't really need to filter for NOT in the data group. I'm also curious why you'd need the [HTTP::uri] starts_with "/" statement. Technically speaking, all URIs should start with "/" so not sure what value that conditional will give you. Also, IP::client_addr is probably a better fit.

Now, if this is more simplistic than it needs to be, you foresee the two filters getting more complicated and more dependent on the host, and the iRules get much more complicated and fragile, then another alternative is VIP targeting. In this case, instead of a pool statement you use a virtual statement, sending the traffic to another (internal) virtual server. So then you can keep all of your host and IP filtering iRules, and anything else more complicated, separated amongst different virtual servers.