Forum Discussion
DaveC_53879
Nov 18, 2011Nimbostratus
Restrict access by IP
I have an irule that I want to use to only allow certain IP addresses. I think what I have should work but it blocks all addresses to the specific URI. I'm running ver. 9.4.6
when HTTP_REQUEST {
if { ([HTTP::uri] starts_with "/protect") and ! ([matchclass [IP::remote_addr] equals $$My_Internal]) } {
HTTP::close
}
}
My_Internal equlas my IP addresses. Even if I put an IP in directly, 10.0.0.2, it blocks everything.
What am I missing here? I see lots of similar posts and I think this should work. Thanks in advance.
- nitassEmployeecan you try this one?
[root@ve1023:Active] config b rule myrule list rule myrule { when HTTP_REQUEST { if { ([HTTP::uri] starts_with "/protect") and ! ([matchclass [IP::remote_addr] equals My_Internal]) } { HTTP::close } } }
- DaveC_53879NimbostratusHi. Thanks for the reply. I tried removing the $$ but then it didn't block anything. I wasn't sure if the $$ was necessary. I even tried with just one $. it blocked everything. I even tried putting in the address directly with and w/o quotes, but no luck.
- nitassEmployeecan you try reject instead of HTTP::close?
- DaveC_53879NimbostratusI even tried
- nitassEmployeeHave you tried reject command? Didn't it work?
- DaveC_53879NimbostratusYou're a genius. I thought it was my address syntax which is what I kept working with. Reject got it working. Thanks very much for your help.
- nitassEmployeethanks for update and glad to hear it works.
- Parinya_EkparinNimbostratusCan I ask more questions here?
- nitassEmployeethis is mine.
[root@ve1023:Active] config b virtual bar list virtual bar { snat automap pool foo destination 172.28.19.79:80 ip protocol 6 rules myrule profiles { http {} tcp {} } } [root@ve1023:Active] config b rule myrule list rule myrule { when HTTP_REQUEST { if {[HTTP::uri] starts_with "/closeme"}{ HTTP::close } } } curl -I http://172.28.19.79/closeme/abc curl: (52) Empty reply from server [root@ve1023:Active] config tcpdump -nni 0.0 port 80 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 108 bytes 15:36:46.016023 IP 172.28.19.253.49903 > 172.28.19.79.80: S 825856394:825856394(0) win 5840 15:36:46.016102 IP 172.28.19.79.80 > 172.28.19.253.49903: S 1547588842:1547588842(0) ack 825856395 win 4380 15:36:46.019090 IP 172.28.19.253.49903 > 172.28.19.79.80: . ack 1 win 46 15:36:46.019137 IP 172.28.19.253.49903 > 172.28.19.79.80: P 1:167(166) ack 1 win 46 15:36:46.020963 IP 172.28.19.79.80 > 172.28.19.253.49903: R 1:1(0) ack 167 win 4546
- HamishCirrocumulusHm... I'd probably give back at least a simple piece of HTML that would make it appear that the pay was served...
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects