Forum Discussion
JamesR_40280
Nimbostratus
NimbostratusRestricting Access by IP to different web application
We're using a HA pair of ASM-4100 devices to secure a web application. We have a good policy for outside users that restricts access to general areas. However we also have internal staff that need access to administrative areas. We would like to allow those local users based on a class C IP address range (10.1.1.0) to access the site without the policy that is used by other users. I have tried enabling X-forwarded-for on the http class on the Virtual Server, and then attempting to find the local IP in the host with a HTTP Class Profile that will then send them to a less restrictive ASM class, but have not had any success. I'm not sure I'm giving the HTTP Class Profile the right code in the Hosts area. I'm using (regex) X-Forwarded-For:10.1.1*.
I've also used several other combinations of regular expressions and pattern strings with no success.
Is this a reasonable approach to what I'm trying to accomplish? I've seen the iRule samples for IP forwarding to different Virtual Servers, but I want the same virtual server to send traffic to one web application versus another. Also, I'm not sure how to adopt those samples to what we're trying to do.
hoolioCirrostratus
Ideally, matching on the source IP against a list of hosts/networks would be an option on the HTTP class filters. There is an existing 'request for enhancement' asking for this functionality. It would be good to open a case with F5 Support (websupport.f5.com) and ask them to attach your case to the existing request.
Inserting an XFF header and then using that for HTTP class matching is an interesting idea for how to select an HTTP class based on the client IP address. It does seem to work, if you enable the insertion of XFF or a custom header on the HTTP profile. A filter you can use on the HTTP class is:
Pattern (not regex): X-Forwarded-For: 192.168.*
This worked in a quick test.
However, from a security standpoint, it would be better to use an iRule to remove all instances of the header name you're going to use and then insert the client IP address in the header. This ensures that a malicious client couldn't affect the class selection by inserting their own value in the header. Here's an example:when HTTP_REQUEST { Insert a test header value to verify it's removed by this rule (remove this after testing) HTTP::header insert name "X-Forwarded-For" value hacked_value Log the current header names log local0. "\[HTTP::header names\]: [HTTP::header names]" Remove all instances of the existing headers while {[HTTP::header exists x-forwarded-for]}{ log local0. "Current value: \[HTTP::header value x-forwarded-for\]: [HTTP::header value x-forwarded-for]" Remove the current header HTTP::header remove x-forwarded-for log local0. "\[HTTP::header names\]: [HTTP::header names]" } Insert the actual client IP address in the header HTTP::header insert name "X-Forwarded-For" value [IP::client_addr] }
Also, this string matching approach only allows you to match on class A, B, C or hosts. If you wanted to do a more precise match, you could define the hosts/networks in a datagroup, check the client IP address against the class using matchclass (Click here) and then manually select the corresponding HTTP class in an iRule using the HTTP::class command (Click here). Note that any HTTP class you specify must already be configured as a resource of the virtual server. If you take this route and want an example, let us know.
Thanks,
Aaron
JamesR_40280Worked brilliantly. Thank you very much for your assistance. I will enter a web case to pile on the existing 'request for enhancement'.- hoolioThat's good to hear. And thanks for opening a case for the RFE. The more requests F5 gets, the more visibility the CR gets.
Thanks,
Aaron 
Chris_Phillips10 get ltm config request
20 google it
30 read hoolios solution
40 profit
50 go 10
:-)