Forum Discussion
Jim_Sellers_106
Oct 03, 2011Nimbostratus
Path Based ACL Irule
Here is the scenario
I have 9 IP addresses that I want to allow to the following path but allow access to any other URL/URI on the server.
Lets just say 1.1.1.1 through 1.1.1.9
/npcaccounts/ManageAccount.aspx
/npcaccounts/ManageVendor.aspx
I have a few idea's in mind... creating a class for the sources and then creating a class for the paths. Any suggestions or help would be much appreciated.
12 Replies
Sort By
- Hi Jim
class ip_path_class { "1.1.1.1" := "/npcaccounts/ManageAccount.aspx", "1.1.1.2" := "/npcaccounts/ManageVendor.aspx", . . ' "" := "/path/blah.aspx", }
when HTTP_REQUEST { set sitepath [class match -value -- [IP::client_addr] ip_path_class] if { $sitepath ne "" } { [HTTP::uri] /$sitepath[HTTP::uri] } }
- Thanks I really appreciate it and will let you know how it works out.
- Hi Jim,
class dg_blacklist { "1.1.1.1", "1.1.1.2", "1.1.1.3", . . . "<IP>", }
when HTTP_REQUEST { switch -glob [string tolower [URI::basename [HTTP::uri]]] { "manageaccount.aspx" - "managevendor.aspx" { if { [class match [IP::client_addr] equals dg_blacklist] } { discard } } } }
- Hi Jim,
class dg_whitelist{ "1.1.1.1", "1.1.1.2", "1.1.1.3", . . . "", }
when HTTP_REQUEST { switch -glob [string tolower [URI::basename [HTTP::uri]]] { "manageaccount.aspx" - "managevendor.aspx" { if { not [class match [IP::client_addr] equals dg_whitelist] } { discard } } } }
- Thanks that is exactly what I was looking for !!
- Hi Jim,
- Thanks for the advice Hoolio I will check the link out!!
- After looking into the link you sent I also have ASM in front of the IIS servers so I will check to see if I can get away with adding extra ////'s
- Ideally, you'd want to select an HTTP class by client IP and then have two separate ASM policies for the two different class of clients. You can do this using class match to evaluate the client IP against a datagroup and the HTTP::class command to select a class:
- To clarify, in one ASM policy you could disallow access to the specific URIs with attack signatures. In the iRule, you'd check the client IP against the datagroup. If the client isn't in the datagroup, you'd select the HTTP class which points to the ASM policy which disallows these URIs.
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects