Forum Discussion
Eric_Frankenfie
Nimbostratus
NimbostratusRestricting Access to URI Based on IP Address
Is there a way for an iRule to restrict access to an URI based on IP address?
I would like UNRESTRICTED access to:
https://qa.ipcws.fiserv.com
I would like to RESTRICT access by IP address to:
https://qa.ipcws.fiserv.com/testAPI.aspx
hoolioCirrostratus
With an IIS-based application, it's particularly difficult to handle all of the different encoding attacks in an iRule that a malicious user could send in the URI. See this post for some example iRules and sample obfuscation methods:
http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&tpage=1&view=topic&postid=30900
Aaron
Eric_FrankenfieWhere do I define the variable for the white list of allowable IP addresses?- hoolioYou can define the IP addresses or subnets in a datagroup of type: address in the GUI under Local Traffic >> iRules >> Datagroup List. If you're on 9.4.4 or higher, you should reference the datagroup name without the $:: prefix in older examples to allow for CMP compatibility.
Aaron - Eric_FrankenfieSo, would I just call the data group (testapiAllowList) by name like this?
when HTTP_REQUEST { if { [matchclass [string tolower [HTTP::path]] contains '/testapi.aspx'] } { if { !([matchclass [IP::client_addr] equals testapiAllowList])} { discard } else { } } - hoolioThat's close. Here's something to try:
when HTTP_REQUEST { if { [string tolower [HTTP::path]] contains "/testapi.aspx" } { if { !([matchclass [IP::client_addr] equals testapiAllowList])} { discard } } }
Aaron - Eric_FrankenfieThank you very much for your help and patience! I am new to iRules and really appreciate all the help I have received on DevCentral.
iruler_85849Ok I am trying to work on an irule to allow an IP to a URI that contains matches a word in the path. but I am having no luck.. this is the irule I have in place
when HTTP_REQUEST {
if {( [string tolower [HTTP::path]] contains "/myword " )
and not ( [IP::addr [IP::client_addr] equals 127.0.0.01/32] ) } {
log local0. "dropped"
HTTP::respond 200 content "URL Blocked"
}
}- iruler_85849Ok I am trying to work on an irule to allow an IP to a URI that contains matches a word in the path. but I am having no luck.. this is the irule I have in place
when HTTP_REQUEST {
if {( [string tolower [HTTP::path]] contains "/myword " )
and not ( [IP::addr [IP::client_addr] equals 127.0.0.01/32] ) } {
log local0. "dropped"
HTTP::respond 200 content "URL Blocked"
}
} - Kevin_Stewart
Employee
So you're saying, "if the requested path contains the string '/myword' and the client IP is NOT 127.0.0.01, then send a 'URL Blocked' message". Is this your intention?
As a quick test, please modify your iRule as follows and report the results:when HTTP_REQUEST { log local0. "Path = [string tolower [HTTP::path]]" log local0. "Client IP = [IP::client_addr]" if { [IP::addr [IP::client_addr] equals 127.0.0.01/32] } { log local0. "Local client IP" } if { ( [string tolower [HTTP::path]] contains "/myword " ) and not ( [IP::addr [IP::client_addr] equals 127.0.0.01/32] ) } { log local0. "dropped" HTTP::respond 200 content "URL Blocked" } } - iruler_85849
Kevin
Yes you are correct with the understanding .
I do want to thank you for your help
Turning on the extra loging I see my trigger word is not staying in the uri when I am being moved from one VS to the other VS.
agian thank you.
