Forum Discussion

DarkSideOfTheQ_'s avatar
DarkSideOfTheQ_
Icon for Nimbostratus rankNimbostratus
Sep 16, 2009

Restrict access based off source network

Hello All, Sanity check...I'm trying to block access to specific pages based off the source network the client is coming from. The rest of the site should remain available to anyone. I *think...
application delivery
dev
devops
iRules
The_Bhattman's avatar
The_Bhattman
Icon for Nimbostratus rankNimbostratus
Sep 16, 2009
Hi Darkside,

I think your logic looks sound. I would put a open and close parentheses around the URI conditional evaluations so they are evaluated together before the matchclass evaluation. I would also lose the square brackets around $::inernal-ips and lowercase the URI

Like so 

    
 when HTTP_REQUEST {     
 if { !([matchclass [IP::client_addr] equals $::internal-ips]) and ((string tolower [[HTTP::uri]] contains "test.jsp") or (string tolower[HTTP::uri]] contains "stats.jsp")) } {     
 discard     
 }     
 }

Another way to right this is the following: 

    
 when HTTP_REQUEST {     
    if {  !([matchclass [IP::client_addr] equals $::internal-ips]) } {    
      switch -glob [string tolower [HTTP::uri]] {    
      "*test.jsp" -     
      "*stats.jsp" { discard }    
      }    
    }    
 }

I wrote it the way above because I thought the first thing you want to evaluate is the Datagroup. if nothing matches then don't evaluate any further. In theory, it would make evaluations much faster then having to evaluate 3 conditions expressions in an IF clause.

I hope this helps

CB