Forum Discussion

done_23947's avatar
Icon for Nimbostratus rankNimbostratus
Apr 07, 2011

restrict public access

I need help w/ a iRule.


I have two URL's, https://ssb.xx/ODSP/twbkwbis.P_ValLogin and https://ssb.xx/PROD/twbkwbis.P_WWWLogin.


Both use same public IP address VIP.


I would like to allow public Internet access to one but not the other. And allow only private addresses (internal users) 10.233.x.x to the non public URL. Thanks

10 Replies

  • Hi Done,

    Your [HTTP::host] value appears to be the same for both URL's so I am making an assumption and using the [HTTP::uri].

    I don't know how many internal subnets you have so I also made the assuption that you might want to use a Data Group so that you can add additional subnets in the future.

    This written for v10:

    Create a Data Group (Local Traffic -> iRules -> Data Group List) and add the Networks you want to allow to the /PROD into it.

    when HTTP_REQUEST {
    if { [string tolower [HTTP::uri]] starts_with "/prod" } {
    if { ![class match [IP::client_addr] equals InternalNetworkList ] } {
    Take Action Here.
    HTTP::redirect " https://ssb.xx/ODSP/twbkwbis.P_ValLogin"

    Hope this helps or gets you started.
  • Thanks much but I think I need something more basic. One Virtual Server and two url's


    "https://ssb.xx/ODSP/twbkwbis.P_ValLogin" and "https://ssb.xx/PROD/twbkwbis.P_WWWLogin".



    If "https://ssb.xx/PROD/twbkwbis.P_WWWLogin" allow only internal users 10.x.x.x



    Thanks again



    when HTTP_REQUEST {
       if { [string tolower [HTTP::uri]] starts_with "/prod" and ![IP::addr [IP::client_add] equals] } {
          discard } }

    That will check if the URI starts with prod. If it starts with prod and the user's IP isn't in the network, it'll discard the request.

    Is that what you wanted? Like Michael, I also like to use data groups here for scalability but if this is all you need, perhaps it'll suffice.
  • Sorry, I'm new to iRule. Getting following error in irule editor.



    line2:[undefined procedure:IP::client_add][IP::client_add]



    LTM version is "BIG-IP 10.0.1 Build 378.0 Hotfix HF3 "


  • Sorry I didn't see that. Will test it this weekend. thanks much.


  • Hah - maybe we should get a compiler built into posts so I can validate that stuff before clicking submit.
  • Spell Check! Spell Check! (with custom library for TCL Commands and iRule Lingo).