Restrict access to nodes in a pool after pool is selected.

Question

Hello;
&nbsp;I'm extremely new to iRules and am doing my best at teaching myself.  These forums are a huge help.  I've been asked to come up with something that I'm not sure is even possible.&nbsp;
&nbsp;We have an iRule that searchs for a string in the body of the HTTP post.  If the string is found it selects a certain pool.  In that pool there are members that our security team wants to restrict access to.  I have another iRule that can restrict access based on source IP address working but what I'm struggling with is how do I apply that ACL iRule to only certain nodes in the pool.  Here is the main rule:&nbsp;
&nbsp;when HTTP_REQUEST {
&nbsp;  if { [findstr [HTTP::payload] "log local0. "MULTICARD_AUTH Found sending request to TIBCO Server."
&nbsp;     pool soaq-ccauth  
&nbsp; } else {
&nbsp;     log local0. "String not found sending to Webmethods only pool."
&nbsp; pool wbomxrealq_5080
&nbsp; }
&nbsp;}&nbsp;
&nbsp;The pool saoq-ccauth is the pool with "special" members in it. If anyone can give me some tips to get me out of this sticking point, I would greatly appreciate it.&nbsp;
&nbsp;Thanks;&nbsp;
&nbsp;-Bob&nbsp;

dennypayne · Answer

Hi Bob,
Seems like the easiest thing to do would be to create 2 more pools, one with the "non-restricted" members only and a second pool with only the "restricted" members, then you can do a nested if to take care of this.
Something like (I have not checked the syntax of this on an actual box):
when HTTP_REQUEST {
if { [findstr [HTTP::payload] "log local0. "MULTICARD_AUTH Found sending request to TIBCO Server."
   if { [IP::client_addr] equals x.x.x.x } {
    pool soaq-ccauth-restricted
   } else {
     pool soaq-ccauth-open
   }
} else {
log local0. "String not found sending to Webmethods only pool."
pool wbomxrealq_5080
}
}
I can't think of a good way to apply an ACL to only some members of a pool but maybe I'm missing something...
Denny

bob_olson_10988 · Answer

Thanks for your input Denny.   Your input gave me an idea.  I've modified the rule to look like this:&nbsp;
&nbsp; when HTTP_REQUEST {&nbsp;
&nbsp; After the client connects, inspect the payload and look for MUULTICARD_AUTH.
&nbsp;  if { [findstr [HTTP::payload] " If the string is found then send a log stating that and send it to pool with Tibco servers in it.
&nbsp;log local0. "MULTICARD_AUTH Found sending request to TIBCO Server."
&nbsp;     pool soaq-ccauth 
&nbsp; If the string isn't found then we direct them to a pool of nothing but Webmethods servers in it.
&nbsp; } else {
&nbsp;     log local0. "String not found sending to Webmethods only pool."
&nbsp; pool wbomxrealq_5080
&nbsp; }&nbsp;
&nbsp;}
&nbsp;when LB_SELECTED {
&nbsp;if { [matchclass [LB::server addr] equals $::tibco_servers ]} {
&nbsp;log local0. "Sent to Tibco." } {
&nbsp;if {not [matchclass [IP::client_addr] equals $::tibco_datagroup]} {
&nbsp;drop
&nbsp;log local0. "Dropping client" }&nbsp;
&nbsp;}
&nbsp;}&nbsp;

bob_olson_10988 · Answer

FYI, after some more testing this iRule seems to do the trick.&nbsp;&nbsp;  Tibco iRule v1.3  -   11/19/2007  &nbsp;
&nbsp;  This iRule will search for a string in the payload of an HTTP request and make a decision
&nbsp;  on which pool to send the request to and optionally log to /var/log/ltm .  IT will also
&nbsp;  verify that the client connecting is a trusted IP address.&nbsp;&nbsp;
&nbsp; when HTTP_REQUEST {
&nbsp; 
&nbsp; After the client connects, inspect the payload and look for MUULTICARD_AUTH.&nbsp;
&nbsp;if { [findstr [HTTP::payload] " If the string is found then send a log stating that and send it to pool with Tibco servers in it.
&nbsp;log local0. "MULTICARD_AUTH Found sending request to TIBCO Pool, server [LB::server addr]."
&nbsp;pool soaq-ccauth 
&nbsp; If the string isn't found then we direct them to a pool of nothing but Webmethods servers in it.
&nbsp; } else {
&nbsp;log local0. "String not found sending to Webmethods only pool."
&nbsp;pool wbomxrealq_5080
&nbsp;}&nbsp;
&nbsp; Once the load balancer makes a decision to send the request to a pool member, we check 
&nbsp; to see if the pool member is a Tibco server.  If the member is a Tibco server then we 
&nbsp; check to see if the client is in the allowed hosts datagroup. If the client doesn't exist,
&nbsp; then the connection is dropped.
&nbsp;}
&nbsp;when LB_SELECTED {
&nbsp; Get node address and check it against the tibco_servers class.
&nbsp; Get client IP address and check it against the tibco_datagroup class
&nbsp; If the client IP isn't in the class the connection gets dropped and logged.
&nbsp;if { [matchclass [LB::server addr] equals $::tibco_servers ] and
&nbsp;not ([matchclass [IP::client_addr] equals $::tibco_datagroup])} {
&nbsp;drop
&nbsp;            log local0. "Client, [IP::client_addr], not authorized to connect to Tibco server [LB::server addr]." }  else {
&nbsp; Log which member/node in the pool the client was sent to.
&nbsp;log local0. "Sent request from [IP::client_addr] to server [LB::server addr]" } 
&nbsp;}
&nbsp; &nbsp;

Forum Discussion

Restrict access to nodes in a pool after pool is selected.

3 Replies

F5 Academy at AppWorld 2026

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

Cisco TACACS+ Config on ISE LTM Pair

How can I get started with iCall

Checking for X-Forwarded-For against an Address Data-Group

SSL Bridging and FQDN rewrite Policy

iRule causing requests to be duplicated (sometimes)

Related Content

Irule for restricting access

Office 365 Tenant Restrictions

Restricting Access to Virtual from client IP address in X-Forwarder-For HTTP header

Restricting direct access from public IP

Restrict Access to Exchange Administrative Center - Enhanced

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS