Forum Discussion
Jim_Sellers_106
Nimbostratus
Oct 03, 2011Path Based ACL Irule
Here is the scenario
I have 9 IP addresses that I want to allow to the following path but allow access to any other URL/URI on the server.
Lets just say 1.1.1.1 through 1.1.1.9
/npcaccounts/ManageAccount.aspx
/npcaccounts/ManageVendor.aspx
I have a few idea's in mind... creating a class for the sources and then creating a class for the paths. Any suggestions or help would be much appreciated.
- The_Bhattman
Nimbostratus
Hi Jimclass ip_path_class { "1.1.1.1" := "/npcaccounts/ManageAccount.aspx", "1.1.1.2" := "/npcaccounts/ManageVendor.aspx", . . ' "" := "/path/blah.aspx", }
when HTTP_REQUEST { set sitepath [class match -value -- [IP::client_addr] ip_path_class] if { $sitepath ne "" } { [HTTP::uri] /$sitepath[HTTP::uri] } }
- Jim_Sellers_106
Nimbostratus
Thanks I really appreciate it and will let you know how it works out. - The_Bhattman
Nimbostratus
Hi Jim,class dg_blacklist { "1.1.1.1", "1.1.1.2", "1.1.1.3", . . . "<IP>", }
when HTTP_REQUEST { switch -glob [string tolower [URI::basename [HTTP::uri]]] { "manageaccount.aspx" - "managevendor.aspx" { if { [class match [IP::client_addr] equals dg_blacklist] } { discard } } } }
- The_Bhattman
Nimbostratus
Hi Jim,class dg_whitelist{ "1.1.1.1", "1.1.1.2", "1.1.1.3", . . . "", }
when HTTP_REQUEST { switch -glob [string tolower [URI::basename [HTTP::uri]]] { "manageaccount.aspx" - "managevendor.aspx" { if { not [class match [IP::client_addr] equals dg_whitelist] } { discard } } } }
- Jim_Sellers_106
Nimbostratus
Thanks that is exactly what I was looking for !! - hoolio
Cirrostratus
Hi Jim, - Jim_Sellers_106
Nimbostratus
Thanks for the advice Hoolio I will check the link out!! - Jim_Sellers_106
Nimbostratus
After looking into the link you sent I also have ASM in front of the IIS servers so I will check to see if I can get away with adding extra ////'s - hoolio
Cirrostratus
Ideally, you'd want to select an HTTP class by client IP and then have two separate ASM policies for the two different class of clients. You can do this using class match to evaluate the client IP against a datagroup and the HTTP::class command to select a class: - hoolio
Cirrostratus
To clarify, in one ASM policy you could disallow access to the specific URIs with attack signatures. In the iRule, you'd check the client IP against the datagroup. If the client isn't in the datagroup, you'd select the HTTP class which points to the ASM policy which disallows these URIs.
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects