For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

done_23947's avatar
done_23947
Icon for Nimbostratus rankNimbostratus
Apr 07, 2011

restrict public access

I need help w/ a iRule.

 

I have two URL's, https://ssb.xx/ODSP/twbkwbis.P_ValLogin and https://ssb.xx/PROD/twbkwbis.P_WWWLogin.

 

Both use same public IP address VIP.

 

I would like to allow public Internet access to one but not the other. And allow only private addresses (internal users) 10.233.x.x to the non public URL. Thanks
application delivery
dev
devops
iRules

10 Replies

  • Michael_Yates's avatar
    Michael_Yates
    Icon for Nimbostratus rankNimbostratus
    Apr 07, 2011
    Hi Done,

    Your [HTTP::host] value appears to be the same for both URL's so I am making an assumption and using the [HTTP::uri].

    I don't know how many internal subnets you have so I also made the assuption that you might want to use a Data Group so that you can add additional subnets in the future.

    This written for v10:

    Create a Data Group (Local Traffic -> iRules -> Data Group List) and add the Networks you want to allow to the /PROD into it. 

     
when HTTP_REQUEST {
if { [string tolower [HTTP::uri]] starts_with "/prod" } {
if { ![class match [IP::client_addr] equals InternalNetworkList ] } {
Take Action Here.
HTTP::redirect " https://ssb.xx/ODSP/twbkwbis.P_ValLogin"
}
}
}

    Hope this helps or gets you started.
  • done_23947's avatar
    done_23947
    Icon for Nimbostratus rankNimbostratus
    Apr 08, 2011
    Thanks much but I think I need something more basic. One Virtual Server and two url's

     

    "https://ssb.xx/ODSP/twbkwbis.P_ValLogin" and "https://ssb.xx/PROD/twbkwbis.P_WWWLogin".

     

     

    If "https://ssb.xx/PROD/twbkwbis.P_WWWLogin" allow only internal users 10.x.x.x

     

     

    Thanks again

     

     

  • Chris_Miller's avatar
    Chris_Miller
    Icon for Altostratus rankAltostratus
    Apr 10, 2011
    
when HTTP_REQUEST {
   if { [string tolower [HTTP::uri]] starts_with "/prod" and ![IP::addr [IP::client_add] equals 10.233.0.0/16] } {
      discard } }

    That will check if the URI starts with prod. If it starts with prod and the user's IP isn't in the 10.233.0.0/16 network, it'll discard the request.

    Is that what you wanted? Like Michael, I also like to use data groups here for scalability but if this is all you need, perhaps it'll suffice.
  • done_23947's avatar
    done_23947
    Icon for Nimbostratus rankNimbostratus
    Apr 12, 2011
    Sorry, I'm new to iRule. Getting following error in irule editor.

     

     

    line2:[undefined procedure:IP::client_add][IP::client_add]

     

     

    LTM version is "BIG-IP 10.0.1 Build 378.0 Hotfix HF3 "

     

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Apr 12, 2011
    It's just missing an r on IP::client_addr.

     

     

    Aaron
  • done_23947's avatar
    done_23947
    Icon for Nimbostratus rankNimbostratus
    Apr 12, 2011
    Sorry I didn't see that. Will test it this weekend. thanks much.

     

  • Chris_Miller's avatar
    Chris_Miller
    Icon for Altostratus rankAltostratus
    Apr 12, 2011
    Hah - maybe we should get a compiler built into posts so I can validate that stuff before clicking submit.
  • Michael_Yates's avatar
    Michael_Yates
    Icon for Nimbostratus rankNimbostratus
    Apr 13, 2011
    Spell Check! Spell Check! (with custom library for TCL Commands and iRule Lingo).