For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Eric_Frankenfie's avatar
Eric_Frankenfie
Icon for Nimbostratus rankNimbostratus
Jul 07, 2010

Restricting Access to URI Based on IP Address

Is there a way for an iRule to restrict access to an URI based on IP address? I would like UNRESTRICTED access to: https://qa.ipcws.fiserv.com I would like to RESTRICT access by IP address to: https...
application delivery
dev
devops
iRules
Viv_Richards's avatar
Viv_Richards
Icon for Cirrostratus rankCirrostratus
Jul 19, 2017

Dear All,

 

I have tried below iRule with the intension to access specific URI (testapi.apsx) from specific IP which is part of testapiAllowList datagroup , however when I am trying to access URI (testapi.aspx), it is still accessible from the IP which is not part of testapiAllowList datagroup

 

======================= when HTTP_REQUEST { if { [string tolower [HTTP::path]] contains "/testapi.aspx" } { if { !([matchclass [IP::client_addr] equals testapiAllowList])} { discard }

 

==========

 

As per my understanding, if I am not part of testapiAllowList datagroup, I should not able to access URI "/tetsapi.aspx"

 

Kindly correct me if I am wrong

 

Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Jul 19, 2017

The logic here seems sound. What does your data group look like?

Maybe add some logging to see what's going on.

when HTTP_REQUEST {
    if { [string tolower [HTTP::path]] contains "/testapi.aspx" } {
        if { !([matchclass [IP::client_addr] equals testapiAllowList]) } {
            log local0. "discarding"
            discard
        } else {
            log local0. "allowing"
        }
    } else {
        log local0. "something else"
    }
}