Forum Discussion
DaveC_53879
Nimbostratus
NimbostratusRestrict access by IP
I have an irule that I want to use to only allow certain IP addresses. I think what I have should work but it blocks all addresses to the specific URI. I'm running ver. 9.4.6
when HTTP_REQUEST {
if { ([HTTP::uri] starts_with "/protect") and ! ([matchclass [IP::remote_addr] equals $$My_Internal]) } {
HTTP::close
}
}
My_Internal equlas my IP addresses. Even if I put an IP in directly, 10.0.0.2, it blocks everything.
What am I missing here? I see lots of similar posts and I think this should work. Thanks in advance.
11 Replies
- nitass
Employee
can you try this one?[root@ve1023:Active] config b rule myrule list rule myrule { when HTTP_REQUEST { if { ([HTTP::uri] starts_with "/protect") and ! ([matchclass [IP::remote_addr] equals My_Internal]) } { HTTP::close } } } 
DaveC_53879Hi. Thanks for the reply. I tried removing the $$ but then it didn't block anything. I wasn't sure if the $$ was necessary. I even tried with just one $. it blocked everything. I even tried putting in the address directly with and w/o quotes, but no luck.- nitasscan you try reject instead of HTTP::close?
- DaveC_53879I even tried
when HTTP_REQUEST { if { ( [HTTP::uri] starts_with "/protect" ) and ! ( [IP::addr [IP::client_addr] equals 10.0.0.2] )
{ HTTP::close
}
}
It blocked everything.
Dave - nitassHave you tried reject command? Didn't it work?
- DaveC_53879You're a genius. I thought it was my address syntax which is what I kept working with. Reject got it working. Thanks very much for your help.
Can I return the favor?
Dave - nitassthanks for update and glad to hear it works.
Can I return the favor?yes, just share your knowledge. no one knows everything and no one knows nothing. ;-) 
Parinya_EkparinCan I ask more questions here?
Well... I'm just curious. Why don't "HTTP::close" works?
From what I tried, "HTTP::close" seem to work under the scope of the "HTTP_RESPONSE" event but not "HTTP_REQUEST".
Is that correct?- nitassthis is mine.
[root@ve1023:Active] config b virtual bar list virtual bar { snat automap pool foo destination 172.28.19.79:80 ip protocol 6 rules myrule profiles { http {} tcp {} } } [root@ve1023:Active] config b rule myrule list rule myrule { when HTTP_REQUEST { if {[HTTP::uri] starts_with "/closeme"}{ HTTP::close } } } curl -I http://172.28.19.79/closeme/abc curl: (52) Empty reply from server [root@ve1023:Active] config tcpdump -nni 0.0 port 80 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 108 bytes 15:36:46.016023 IP 172.28.19.253.49903 > 172.28.19.79.80: S 825856394:825856394(0) win 5840 15:36:46.016102 IP 172.28.19.79.80 > 172.28.19.253.49903: S 1547588842:1547588842(0) ack 825856395 win 4380 15:36:46.019090 IP 172.28.19.253.49903 > 172.28.19.79.80: . ack 1 win 46 15:36:46.019137 IP 172.28.19.253.49903 > 172.28.19.79.80: P 1:167(166) ack 1 win 46 15:36:46.020963 IP 172.28.19.79.80 > 172.28.19.253.49903: R 1:1(0) ack 167 win 4546 
HamishCirrocumulus
Hm... I'd probably give back at least a simple piece of HTML that would make it appear that the pay was served...
However if it were a simple IP check (At CLIENT_CONNECT), I'd just do a drop...
Unless you're wanting to be friendly, in which case I'd done one where the IP was checked at CLIENT_CONNECT, then when HTTP_REQUEST fires, a redirect is sent back to an HTTP server page that says sorry, your IP isn't allow din (Helpful for customers otherwise you get a lot of support calls that go in circles for a while :)
H
