For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Dan44's avatar
Dan44
Icon for Altostratus rankAltostratus
Jun 24, 2019

Restrict Access to a URL with a iRule

Hi all,

i have a web server and would like to restrict the access to the server. The access should only work if the request contains "/spa" or the the IP machtes the IPs in the data group. Unfortunately the iRule doesn't work. I am allays getting a HTTP 403. Does someone sees a error in the iRule or have some experience with restricting the access by IP and URL path?

when HTTP_REQUEST {
if { [string tolower [HTTP::uri]] contains "/spa" or [class match [IP::client_addr] equals allowIP]} {
pool web-server001
 
} else {
HTTP::respond 403
}
}

THX!

devops
iRules
LTM

4 Replies

  • JG's avatar
    JG
    Icon for Cumulonimbus rankCumulonimbus
    Jun 25, 2019

    You might want to put in some logging to help troubleshooting, e.g. 

    log local0. "[HTTP::uri] ; [IP::client_addr]"

    in the conditional to see where the incoming request gets.

    Also, you should enable OneConnect if you have not done so.

  • Dan44's avatar
    Dan44
    Icon for Altostratus rankAltostratus
    Jun 25, 2019

    hi

    i have enabled the login. with help of the logs we find out that the "client_addr" was always the interface IP of the firewall. the problem was that on the firewall (NAT enabled). After disabling NAT on the FW the rule worked.

  • JG's avatar
    JG
    Icon for Cumulonimbus rankCumulonimbus
    Jun 25, 2019

    Good to hear you have got the problem sorted.

  • Kai_Nguyen's avatar
    Kai_Nguyen
    Icon for Nimbostratus rankNimbostratus
    Dec 02, 2020

    hi Dan, so is this irule working for web server behind dmz? do you mind explaining about the NAT enabled part on the FW ? do you have to modify the irule at the end?

     

    Thanks

    Kai