Restrict access to nodes in a pool after pool is selected.

FYI, after some more testing this iRule seems to do the trick.

 

 

Tibco iRule v1.3 - 11/19/2007

 

 

This iRule will search for a string in the payload of an HTTP request and make a decision

 

on which pool to send the request to and optionally log to /var/log/ltm . IT will also

 

verify that the client connecting is a trusted IP address.

 

 

 

when HTTP_REQUEST {

 

 

After the client connects, inspect the payload and look for MUULTICARD_AUTH.

 

 

if { [findstr [HTTP::payload] " If the string is found then send a log stating that and send it to pool with Tibco servers in it.

 

log local0. "MULTICARD_AUTH Found sending request to TIBCO Pool, server [LB::server addr]."

 

pool soaq-ccauth

 

If the string isn't found then we direct them to a pool of nothing but Webmethods servers in it.

 

} else {

 

log local0. "String not found sending to Webmethods only pool."

 

pool wbomxrealq_5080

 

}

 

 

Once the load balancer makes a decision to send the request to a pool member, we check

 

to see if the pool member is a Tibco server. If the member is a Tibco server then we

 

check to see if the client is in the allowed hosts datagroup. If the client doesn't exist,

 

then the connection is dropped.

 

}

 

when LB_SELECTED {

 

Get node address and check it against the tibco_servers class.

 

Get client IP address and check it against the tibco_datagroup class

 

If the client IP isn't in the class the connection gets dropped and logged.

 

if { [matchclass [LB::server addr] equals $::tibco_servers ] and

 

not ([matchclass [IP::client_addr] equals $::tibco_datagroup])} {

 

drop

 

log local0. "Client, [IP::client_addr], not authorized to connect to Tibco server [LB::server addr]." } else {

 

Log which member/node in the pool the client was sent to.

 

log local0. "Sent request from [IP::client_addr] to server [LB::server addr]" }

 

}