Forum Discussion
NimbostratusProxypass Rule just for a specific IP-Range
Hi
We have successfully the ProxyPass iRule Version 10.9 in place. (https://devcentral.f5.com/wiki/iRules.proxypassv10.ashx)
But because a Web-Service has confidential content the access has to be limited to a specific IP-Range or maybe IP-Ranges in the future.
Without Proxypass i would just use the folowing part in a iRule:
if { [IP::addr [IP::client_addr]/24 equals 10.85.4.0] } {
access
}
The ProxyPass iRule is very complex with a lot of different Sections.
I tried to add the "Client IP Restriction somewhere in the Proxypass Rule but i wasn't able to get it running.
Is this possible?
Where would i have to place the IP-Address check?
Best Regards,
Roger
2 Replies
- Kevin_Stewart
Employee
I would use a NOT condition in the IP check and put it at the top of the CLIENT_ACCEPTED event, with a reject statement if the source IP is NOT in your defined IP range. 
aschiHi
I was able to solve it with the following entry after "when HTTP_REQUEST {" (ACA_allow_PepperHost contained the allowed Host):
if { not [class match [IP::client_addr] equals ACA_allow_PepperHost] } {
reject
}Now I have to extend the if statement because the restriction ist just for some URI.
I would like to first just test the URI restriction.
The following didn't work:if { not [class match [HTTP::uri] equals ACA_restrict_Pepper_URI] } {
What do I have to set as String and Value in the class?
It never matched. Any Ideas? Is it possible to use regex expression in a class?Best Regards,
Roger
