For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Chris_Miller's avatar
Chris_Miller
Icon for Altostratus rankAltostratus
May 13, 2010

Reject Traffic Unless Client has Certain Header or Client-IP

I'm looking for iRule assistance again! I'm handling traffic that comes through Akamai for a staging environment. Because this environment is staging, yet requires internet access, we only want traffic that was sent through Akamai to get to us. Since Akamai inserts a "True-Client-IP" header, I want to allow traffic with that header through. Since our internal users have to test the site without going through Akamai, I want to allow them through as well. So, if a user doesn't have the True-Client-IP header or a source of 1.1.1.1, they should get rejected. Here's what I've pieced together: 
when HTTP_REQUEST {
  if { not ([HTTP::header exists "True-Client-IP"]) } 
else
I get confused here, since we aren't in the client_accepted event, can I still use source IP? Also, I want to allow a 24-bit space, 1.1.1.0, how do I represent that?
application delivery
dev
devops
iRules

1 Reply

  • Michael_Yates's avatar
    Michael_Yates
    Icon for Nimbostratus rankNimbostratus
    May 13, 2010
    Try this and see if it works out for you. I did something similar for a Maintenance Override Page.

    Create a Data Group List of IP Addresses:

    - LTM -> iRules -> Data Group List -> Create -> Type (Address)

    Replace Data Group List Name in place of "ListOfPeoplesIPAddresses" and add the IP Addresses of the Developers / Testors that you want to allow to override the iRule. 

    
 when HTTP_REQUEST { 
if { !([HTTP::header exists "True-Client-IP"]) or !([matchclass [IP::remote_addr] equals $::ListOfPeoplesIPAddresses]) } {
reject
}
}