Pool Selection based on client domain name or IP address

Question

So I think this may be an easy one but I am getting stuck on this. I have an application that I want to allow access to if the client has a certain domain name or is coming from a certain IP subnet...otherwise I want to discard the connection. 
&nbsp; So far I have set up a Data Group with the allowed IP's and set up the irule as such: 
&nbsp; when HTTP_REQUEST {  
&nbsp; if { [matchclass [IP::client_addr] equals $::DATA_GROUP_NAME] } {  
&nbsp; pool pool1 
&nbsp; } else {  
&nbsp; discard 
&nbsp; }  
&nbsp; } 
&nbsp; This works fine for the IP addresses but how do I get the domain name working? So my scenario is: 
&nbsp; Go to pool1 if you are from 10.10.10.0 or 10.10.11.0 or from *.example.com otherwise you get discarded. 
&nbsp;

dennypayne · Answer

I'm not aware of any header that a browser normally sends that includes domain name information.  What exactly do you mean by "the client has a certain domain name?" 
&nbsp;  
&nbsp; There's a Referer header that shows the domain name of the site that provided the link, but that's the only thing I could think of that would include some sort of domain information. 
&nbsp;  
&nbsp; Denny

hoolio · Answer

You could check the requested domain in the Host header value.  But as Denny suggests, there isn't anything in HTTP that would have a domain associated with it.  You could potentially do a reverse DNS lookup to see if there is a reverse DNS record associated with the client IP address. 
&nbsp;  
&nbsp; Can you elaborate on the scenario? 
&nbsp;  
&nbsp; Aaron

jeff_tuthill_10 · Answer

What I mean by the domain name is the network that the client is coming from, i.e. coming from comcast.net or aol.com. So can I have a ruke that says all clients coming from comcast.net use this pool.

hoolio · Answer

There is a default aol datagroup which contains the proxy server IP addresses AOL publishes.  If you can get a list of the hosts/subnets that Comcast uses, you could define them in an address type datagroup and check the client IP address against the datagroup. 
&nbsp;  
&nbsp; Aaron

jeff_tuthill_10 · Answer

So how do I get an iRule to look at two different Data Groups? Here is the scenario: 
&nbsp;  
&nbsp; 1. Check the IP addresses in data group 1 and send to pool 
&nbsp; 2. Check the hostnames (string) in data group 2 and send to pool 
&nbsp; 3. Otherwide discard 
&nbsp;  
&nbsp; Would something like this work?: 
&nbsp;  
&nbsp; when HTTP_REQUEST { 
&nbsp; if { [matchclass [IP::client_addr] equals $::DATA_GROUP_NAME] } { 
&nbsp; pool pool1 
&nbsp; } else { 
&nbsp; if { [matchclass [DNS::name] equals $::DATA_GROUP_NAME2] } { 
&nbsp; pool pool1 
&nbsp; } else { 
&nbsp; discard 
&nbsp; } 
&nbsp; }  &nbsp;

Forum Discussion

Pool Selection based on client domain name or IP address

7 Replies

AppWorld Berlin iRules Contest!

F5 AppWorld 2026 Las Vegas - iRules Contest Winners!

Recent Discussions

VIP control across data centers - how to ensure only 1 VIP is up at a time?

FQDN Node Configuration

Logical Disk Full to Migrate rSeries

Priority Group Activation is not working

Changes to DO and AS3 GitHub - no longer monitored

Related Content

F5 Distributed Cloud - Traffic Steering based on Client IP Address

Selective Client Cert Authentication

F5 BIG-IP deployment with Red Hat OpenShift - keeping client IP addresses and egress flows

APM custom address space by client IP?

Select Between Multiple Network Access Resources with the Edge Client

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS