Forum Discussion

Jace_45978's avatar
Jace_45978
Icon for Nimbostratus rankNimbostratus
Dec 16, 2015

reject public IP to url allow internal IPs

have a site that needs to reject public access to /abc (allowing internal IPs) but allow public/private access to /abc1

started out with this irule to reject /abc but then realized that /abc1 needs to be allowed. not sure how to "match" /abc and allow /abc1

when HTTP_REQUEST {

if { ( [string tolower [HTTP::uri]] starts_with "/abc" ) and not ( [class match [IP::client_addr] equals private_net] )} {
      reject
   }
}

seems like there may be a modification on the "starts_with" maybe "equals" ?? thanks in advance. Version 10.2.2

iRules
LTM
security

2 Replies

  • StephanManthey's avatar
    StephanManthey
    Icon for Nacreous rankNacreous
    Dec 16, 2015
    Yes, using "equals" would be the right choice for an exact match. Also consider using HTTP::path instead, as the HTTP::uri returns the path and query, i.e. /abc?param=def and by using the URI for comparison wont give you a match. Thanks, Stephan
  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Dec 17, 2015

    Hi Jace,

    iRules evalutes your conditions in a first-match order.

    So either make sure you'll use a collision free conditions set by using "equals" operators (as Stephan already recommended), or evaluate the most restrictiv "starts_with" condition first and the continue to evaluate the less restrictive "starts_with" condition (see snippet below). 

    when HTTP_REQUEST {
    set low_uri [string tolower [HTTP::uri]]
    if { $low_uri starts_with "/abc1" } then {
         Allow the request
    } elseif { ( $low_uri starts_with "/abc" ) and not ( [class match [IP::client_addr] equals private_net] ) } then {
        reject
    }
}

    Cheers, Kai