Forum Discussion
Matt_Breedlove_
Nimbostratus
NimbostratusNeed some opinions on iRule
Basically, I am trying to allow a few URI's to be accessible by the Internet
when trying to hit a particular Pool, but all other URI's to be dropped unless the source IP of the client is coming from an Ip address that begins with "10." or "200.3.81"
I know this can be done with If statements and classes using matchclass, but I am trying to use Switch as it appears to be the V12 (as in fast) of iRules
It sounds like there is no "allow", but rather you must give it a pool to go to in place of an explicit "allow" (to counter the explicit drop/discard). Is this correct? I think this works if the Irule is already scoped for a particular pool, but what if you want the iRule to be global affecting all pools, and rather after evaluating a few conditions you want the request to "released" to go it's merry way whichever way that was before you began evaluating it?
Sorry if this is rambly,
when HTTP_REQUEST {
switch -glob [string tolower [HTTP::uri]] {
/feedserver/login* {
pool fc.acmehosting.com
}
/feedserver/logout* {
pool fc.acmehosting.com
}
/feedserver/getdata* {
pool fc.acmehosting.com
}
/feedserver/setdata* {
pool fc.acmehosting.com
}
/feedserver/stateChange* {
pool fc.acmehosting.com
}
/feedserver/proxyRequest* {
pool fc.acmehosting.com
}
default {
when CLIENT_ACCEPTED {
switch -glob [string tolower [IP::client_addr]] {
200.3.81* {
pool fc.acmehosting.com
}
10.* {
pool fc.acmehosting.com
}
default {
drop
}
}
}
}
}
}4 Replies
Matt_Breedlove_I really need some help with the above script. Am I totally off base with this script? Suggestions for an alternative way that would be a top notch performer?- Matt_Breedlove_::Bump
Somebody please?
Thanks - Well, you can't nest events like that. You have to postpone the decision of connection management until the URI is seen, and then you will have to simply discard the request.
For testing just those 2 IP subnets, try this:when HTTP_REQUEST { switch -glob [string tolower [HTTP::uri]] { /feedserver/login* { pool fc.acmehosting.com } /feedserver/logout* { pool fc.acmehosting.com } /feedserver/getdata* { pool fc.acmehosting.com } /feedserver/setdata* { pool fc.acmehosting.com } /feedserver/stateChange* { pool fc.acmehosting.com } /feedserver/proxyRequest* { pool fc.acmehosting.com } default { if {[IP::addr [IP::client_addr] equals 200.3.81.0/24] or \ [IP::addr [IP::client_addr] equals 10.0.0.0/8]}{ pool fc.acmehosting.com } else { discard } } } }
This will allow all connections to the first 6 URIs, and only connections from those 2 IP subnets to other URIs.
/deb - Matt_Breedlove_Here is what I ended up with. And If statement could be used for the second switch if desired or a class with matchclass
If anyone is looking for URL whitelisting with certain source IP's being able to trump the URL filter...this is it
Thanks for the comments and help
Mattwhen HTTP_REQUEST { switch -glob [URI::decode [string tolower [HTTP::uri]]] { /feedserver/login* { pool fc.acmehosting.com } /feedserver/logout* { pool fc.acmehosting.com } /feedserver/getdata* { pool fc.acmehosting.com } /feedserver/setdata* { pool fc.acmehosting.com } /feedserver/stateChange* { pool fc.acmehosting.com } /feedserver/proxyRequest* { pool fc.acmehosting.com } default { switch -glob [IP::addr [IP::client_addr] { 203.4.71.* { pool fc.acmehosting.com } 10.* { pool fc.acmehosting.com } default { discard } } } } }
