For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Michael_-_Harr1's avatar
Michael_-_Harr1
Icon for Nimbostratus rankNimbostratus
Mar 21, 2014

Need some assistance not sure if IRULE is best way handle this requirement - If it is need some help with IRULE please.

Requirement wwe have public facing site and internal employees get special rates on loans. Requirement is to retricy specific URL paths by internal source IP address and the public can access everthing else but not special internal rates.

 

Special internal IP Address 70.90.135.121 255.255.255.255 38.103.19.19 255.255.255.255 209.34.200.5 255.255.255.255 12.36.205.5 255.255.255.255 208.4.60.5 255.255.255.255 208.4.61.130 255.255.255.255 38.103.19.17 255.255.255.255 38.103.19.18 255.255.255.255

 

URL filter restrict access to these URL path source IP Addresss discount.com/internal-rates. discount.com//Loan-and-Credit-Card-Rates.* discount.com//Deposit-and-Share-Rates.* discount.com//internal-rates.* discount.com//Deposit-and-Share-Rates.*

 

Everyone else can access URLS - but not for above special rate URLS

 

3 Replies

  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Mar 21, 2014
    if that isn't sanitized data, I'd recommend sanitizing it.
  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Mar 21, 2014

    assuming you drop all your internal IPs into a data-group called internal_ips, something like this should get you started (untested):

    when HTTP_REQUEST {
  switch -glob [string tolower [HTTP::path]] {
    "/internal-rates*" -
    "/loan-and-credit-card-rates*" -
    "/deposit-and-share-rates*" {
      if { ![class match IP::client_addr equals internal_ips] } {
        HTTP::redirect "http://[HTTP::host]/"
      }
    }
  }
}
  • Henrik_Gyllkran's avatar
    Henrik_Gyllkran
    Icon for Nimbostratus rankNimbostratus
    Mar 21, 2014

    I would solve this by creating two data groups. One with the IP addresses - let's call that data group internal_IP for the example below. The other data group would contain the restricted URI:s - so let's call it restricted_URI. And just to avoid some headaches I would enter them into the data group as strictly lower case strings. Then I would create an iRule like this:

    when HTTP_REQUEST {
   if { [class match [string tolower [HTTP::uri]] starts_with restricted_URI] }{
      if { ![class match [IP::client_addr] eq internal_IP] }{
         HTTP::respond 404
      }
   }
}

    So if anyone requests the restricted URI:s, if the source address isn't one of the approved ones you get a 404 message back. Also note that HTTP::uri returns the part of the URL without the hostname, starting with the first slash, so don't include the hostname in the strings when creating the data group.