Forum Discussion

Nimbostratus

Jul 09, 2009

Restrict access to certain url's by sourceIP?

Hello Forum, We are trying to utilize some irules to allow only certain users to only access specific url's? Essentially, user A, B, C are trying to access the same virtual server IP, but have...

Cirrostratus

Jul 09, 2009

Hi JC,

You could do this all in an iRule or you could create three address type datagroups (users_A_class, users_B_class & users_C_class) and then reference them in an iRule:

  
 when HTTP_REQUEST {  
     Check the requested URI  
    switch -glob [string tolower [HTTP::path]] {  
       "/folderA*" {  
           Reset the request if if the source IP is not allowed  
          if {not ([matchclass [IP::client_addr] equals $::users_A_class])}{  
             reject  
          }  
       "/folderB*" {  
           Reset the request if the source IP is not allowed  
          if {not ([matchclass [IP::client_addr] equals $::users_B_class])}{  
             reject  
          }  
       "/folderC*" {  
           Reset the request if the source IP is not allowed  
          if {not ([matchclass [IP::client_addr] equals $::users_C_class])}{  
             reject  
          }  
       default {  
           Reset the request  
          reject  
       }  
    }  
 }

Be aware that a malicious user could potentially bypass the validation using path manipulations if they were part of any of the allowed clients datagroups. For example a client in user_A made a request for /folderA/../any/other/directory/, it would pass the iRule logic but potentially be parsed as /any/other/directory/ by the webserver.

See this post for more examples (http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&tpage=1&view=topic&postid=30900).

Aaron

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)