Forum Discussion
Nimbostratusredirect if hosts are on the external segment
I am trying to write the iRules to achieve these: * If users are on the trusted network segment, they can view and edit the page http://www.mycompany.com/ and any URI after www.mycompany.com * If users are on the un-trusted network segment and they are trying to access http://www.mycompany.com/user, they are redirected to http://www.mycompany.com/ * If users are on the un-trusted segment and they are trying to access http://www.mycompany.com/department1/user, or http://www.mycompany.com/department2 and so on, they are redirected to http://www.mycompany.com/department1, http://www.mycompany.com/department2, etc... respectively
Here is my iRules: when HTTP_REQUEST { if {[IP::addr [IP::client_addr] equals 10.10.10.5/32] or [IP::addr [IP::client_addr] equals 192.168.100.0/24]} { log local0. "First IF" pool seattle-only } elseif {([HTTP::uri] starts_with "/user")} { log local0. "First Elseif" HTTP::redirect "http://[HTTP::host]" } elseif {([HTTP::uri] starts_with "/*/user")} { log local0. "SECOND ElseIf" set new-uri [getfield [HTTP::uri] "/" 2] log local0. "2nd elseif $new-uri" HTTP::redirect "http://[HTTP::host]/$new-uri" } else { pool seattle-only log local0. "LAST ELSE [HTTP::uri]" } }
I tested it and when I am on the untrusted network segment and trying to access http://www.mycompany.com/department1/user, I can still go straight to the http://www.mycompany.com/department1/user, my iRules does not redirect me to the http://www.mycompany.com/department1. So I think the statement ([HTTP::uri] starts_with "/*/user") does not work. But I am not sure why and how to fix it.
Do you have any suggestions?
Thanks,
12 Replies
What_Lies_Bene1Cirrostratus
Try
[HTTP::uri] ends_with "/user"- nitass
Employee
e.g.
config [root@ve11a:Active:In Sync] config tmsh list ltm rule qux ltm rule qux { when HTTP_REQUEST { if { [IP::addr [IP::client_addr] equals 10.10.10.5/32] or [IP::addr [IP::client_addr] equals 192.168.100.0/24] } { trusted network segment pool seattle-only return } un-trusted network segment switch -glob [string tolower [HTTP::path]] { "/user*" { HTTP::redirect "http://[HTTP::host]" } "/department1/user*" { HTTP::redirect "http://[HTTP::host]/department1" } "/department2*" { HTTP::redirect "http://[HTTP::host]/department2" } default { pool seattle-only } } } } test [root@ve11a:Active:In Sync] config curl -I http://172.28.24.10/user/something -H "Host: www.mycompany.com" HTTP/1.0 302 Found Location: http://www.mycompany.com Server: BigIP Connection: Keep-Alive Content-Length: 0 HTTP/1.0 302 Found:In Sync] config curl -I http://172.28.24.10/department1/user/something -H "Host: www.mycompany.com" Location: http://www.mycompany.com/department1 Server: BigIP Connection: Keep-Alive Content-Length: 0 [root@ve11a:Active:In Sync] config curl -I http://172.28.24.10/department2/something -H "Host: www.mycompany.com" HTTP/1.0 302 Found Location: http://www.mycompany.com/department2 Server: BigIP Connection: Keep-Alive Content-Length: 0 
tran_93981Thanks for the reply. I can not use [HTTP::uri] ends_with "/user" because user can enter additional URI after the "/user"
- tran_93981
Thanks very much Nitass. I did not see your post. Now I do. I will try your suggestions and update this.
- tran_93981
There are many departments: department1, department2, department3, etc... and I don't know what they are or will be. So I like the the "department1/user" or "department2/user" to be the "/user" but I am not sure how to insert the department wildcard in the http redirect (HTTP::redirect "http://[HTTP::host]/).
I am trying with "getfield". I modified the iRules to be like these: when HTTP_REQUEST { if the request is from the trusted network segments if {[IP::addr [IP::client_addr] equals 10.10.10.5/32] or [IP::addr [IP::client_addr] equals 192.168.100.0/24]} { log local0. "First IF" pool seattle-only return } if the request is from untrusted network segment switch -glob [string tolower [HTTP::uri]] { "/user" { HTTP::redirect "http://[HTTP::host]" } "/*/user" { set new-uri [getfield [HTTP::uri] "/" 2 HTTP::redirect "http://[HTTP::host]/$new-uri" } default { pool seattle-only } } }
but unsuccessful
- tran_93981
I checked my recent post and somehow the wildcard asterisk () are disappeared in the "user" and "(HTTP::redirect "http://[HTTP::host]/)" They are supposed to be "/user" and "(HTTP::redirect "http://[HTTP::host]/*)"
Steve_M__153836If you want to keep trying with filtering on the "/user" you could try using "contains". I have had success with that. However it is a bit more open-ended so it will take it if it is anywhere in the URI.
when HTTP_REQUEST { if {([HTTP::uri] contains "/user") }{ HTTP::Redirect yourdestinationhere }}- tran_93981
I am trying to match the "department1", "department2", etc... right after the [HTTP::host] with the wildcard, the asterisk (*) but I am struggling.
- Steve_M__153836I think you might just have to use a variable pointing to a data group and populate that data group with what departments/names that might be used. It seems that maybe there are two many variables to do this in a straight-forward iRule.
- What_Lies_Bene1
You can't use a wildcard in a redirect. What do you want to do exactly?
- tran_93981
I want to do:
- if a user is on the trusted network segment, the user can access www.company.com and any URI after that
- if a user is on the untrusted network segment, the user can access www.company.com
- if a user is on the untrusted network segment and the user is trying to access to www.company.com/user then he will be redirected to www.company.com
- if a user is on the untrusted network segment and the user is trying to access to www.company.com/xyz/user, the user will be redirected to www.company.com/xyz
After reading Nitass's answer and looking up more on devcentral, I have the iRule code to achieve those and it seems to work:
when HTTP_REQUEST { if the request is from the trusted network segments if {[IP::addr [IP::client_addr] equals 10.10.10.3/32] or [IP::addr [IP::client_addr] equals 10.55.88.0/24]} { log local0. "First IF" pool seattle-only return } if the request is from untrusted network segment switch -glob [string tolower [HTTP::path]] { "/user" { log local0. "1st SWITCH PATH:[HTTP::path] URI:[HTTP::uri]" HTTP::redirect "http://[HTTP::host]" } "/*/user" { set new_uri [getfield [HTTP::uri] "/" 2] log local0. "WILD CARD SWITCH PATH:[HTTP::path] URI:[HTTP::uri] NEW_URI: $new_uri" HTTP::redirect "http://[HTTP::host]/$new_uri" } default { log local0. "DEFAULT: PATH:[HTTP::path] URI:[HTTP::uri]" pool seattle-only } }}
Thanks,
- What_Lies_Bene1OK, brilliant, job done! Cheers
