Forum Discussion
Jeff_Tuthill_10
Nimbostratus
NimbostratusPool Selection based on client domain name or IP address
So I think this may be an easy one but I am getting stuck on this. I have an application that I want to allow access to if the client has a certain domain name or is coming from a certain IP subnet...otherwise I want to discard the connection.
So far I have set up a Data Group with the allowed IP's and set up the irule as such:
when HTTP_REQUEST {
if { [matchclass [IP::client_addr] equals $::DATA_GROUP_NAME] } {
pool pool1
} else {
discard
}
}
This works fine for the IP addresses but how do I get the domain name working? So my scenario is:
Go to pool1 if you are from 10.10.10.0 or 10.10.11.0 or from *.example.com otherwise you get discarded.
- dennypayne
Employee
I'm not aware of any header that a browser normally sends that includes domain name information. What exactly do you mean by "the client has a certain domain name?"
There's a Referer header that shows the domain name of the site that provided the link, but that's the only thing I could think of that would include some sort of domain information.
Denny 
hoolioCirrostratus
You could check the requested domain in the Host header value. But as Denny suggests, there isn't anything in HTTP that would have a domain associated with it. You could potentially do a reverse DNS lookup to see if there is a reverse DNS record associated with the client IP address.
Can you elaborate on the scenario?
Aaron
Jeff_Tuthill_10What I mean by the domain name is the network that the client is coming from, i.e. coming from comcast.net or aol.com. So can I have a ruke that says all clients coming from comcast.net use this pool.- hoolioThere is a default aol datagroup which contains the proxy server IP addresses AOL publishes. If you can get a list of the hosts/subnets that Comcast uses, you could define them in an address type datagroup and check the client IP address against the datagroup.
Aaron - Jeff_Tuthill_10So how do I get an iRule to look at two different Data Groups? Here is the scenario:
1. Check the IP addresses in data group 1 and send to pool
2. Check the hostnames (string) in data group 2 and send to pool
3. Otherwide discard
Would something like this work?:
when HTTP_REQUEST {
if { [matchclass [IP::client_addr] equals $::DATA_GROUP_NAME] } {
pool pool1
} else {
if { [matchclass [DNS::name] equals $::DATA_GROUP_NAME2] } {
pool pool1
} else {
discard
}
} - hoolioYou could either figure out which IP address ranges comcast uses, or you could depend on their reverse DNS records being valid for all client IP addresses. If you use the first option, you'd define a datagroup just like the stock AOL datagroup and check the IP::client_addr against that datagroup:
when HTTP_REQUEST { if { [matchclass [IP::client_addr] equals $::DATA_GROUP_NAME] } { pool pool1 } elseif { [matchclass [IP::client_addr] equals $::comcast_ips] } { pool pool1 } else { discard } }
Or you could try to do a reverse DNS lookup using the NAME:: commands:
NAME: These commands allow you to resolve names using the DNS subsystem configured on BIG-IP.
http://devcentral.f5.com/wiki/default.aspx/iRules/name
Try searching the iRules forum for NAME_RESOLVED for some examples. There is also an older Codeshare example which may still be relevant:
http://devcentral.f5.com/wiki/default.aspx/iRules/DestinationSnatUsingDNS.html
Aaron - Jeff_Tuthill_10Thanks for the leads hoolio!!!
I am trying this rule but get an error on line 14 "Command not valid in current context"...Can I collect the DNS name and then make a pool assignment based on that within the same iRule?
when HTTP_RESPONSE {
Hold HTTP data until IP address is resolved
HTTP::collect
Start a name resolution on the Client IP address
NAME::lookup [IP::client_addr]
}
when NAME_RESOLVED {
log local0. "client name = >[NAME::response]>"
Release HTTP data once hostname is resolved
HTTP::release
}
when HTTP_REQUEST {
set client [NAME::response]
if {$client contains "domain.com"} {
pool pool1
} else {
discard
}
}
