Forum Discussion
NimbostratusRestricting Access to URI Based on IP Address
21 Replies
Lornz_118797I'm trying to do similar, with (I think) an understanding that f5 recommends not using data groups in a multiprocessor system. So I'm trying to do this:
when HTTP_REQUEST {
switch -glob [HTTP::uri] {
"/healthcheck" {
if { not (([IP::client_addr] equals 10.0.0.0/8) || ([IP::client_addr] equals 172.16.0.0/12) || ([IP::client_addr] equals 192.168.0.0/24)) } {
HTTP::respond 403 content {Blocked!}
}
}
}
}
BigIP is protesting with this though:
01070151:3: Rule [block_public_healthcheck] error: line 4: [parse error: PARSE syntax 128 {syntax error in expression " not (([IP::client_addr] equals 10.0.0.0/8) || ([IP::client_...": looking for close parenthesis}] [{ not (([IP::client_addr] equals 10.0.0.0/8) || ([IP::client_addr] equals 172.16.0.0/12) || ([IP::client_addr] equals 192.168.0.0/24)) }]
and I can't tell if it's because I'm actually using incorrect language, as I'm not seeing a missed close paren. Thanks!- Kevin_Stewart
Employee
So first things first, I can't imagine anyone suggesting that data groups aren't recommended in multiprocessor systems. They work perfectly well and in many cases simplify your iRules. In any case, here's a slight modification of your conditional.
if { not ( ( [IP:: addr [IP::client_addr] equals 10.0.0.0/8] ) or ( [IP::addr [IP::client_addr] equals 172.16.0.0/12] ) or [IP::addr [IP::client_addr] equals 192.168.0.0/24] ) ) } { - Christopher_Boo
Cirrostratus
I've had a similar irule (using data groups) in place for months with no issues on a 3600. - Lornz_118797
Hi Kevin- Thanks a bunch, this at least got me to save, and testing now. I'll follow up with f5 to see if we can jettison the understanding that our team got before about the data groups. Thanks again!
- Lornz_118797
Hi Christopher- thanks a lot for this information, too. I'm following up here and with f5 to see where this idea came from, and if we can ignore it. Regards, Lorenz
- I can say with absolute certainty that data groups are very much recommended on multi-processor systems. They work great, and we use them all the time. ;)
Colin 
nullck_120095Hi,
I resolved this problem, then use
when HTTP_REQUEST { switch -glob [IP::client_addr] { "200.34.20.0/20" { set status "OK" } "172.16.0.0/16" { set status "OK" } "10.0.0.0/8" { set status "OK" } } if { $status != "OK" } { if { [HTTP::uri] matches "/admin/" or [HTTP::uri] matches "/administrator/" or [HTTP::uri] matches "/administracao/*" } { HTTP::redirect http://[HTTP::host] } } }
Viv_RichardsDear All,
I have tried below iRule with the intension to access specific URI (testapi.apsx) from specific IP which is part of testapiAllowList datagroup , however when I am trying to access URI (testapi.aspx), it is still accessible from the IP which is not part of testapiAllowList datagroup
======================= when HTTP_REQUEST { if { [string tolower [HTTP::path]] contains "/testapi.aspx" } { if { !([matchclass [IP::client_addr] equals testapiAllowList])} { discard }
==========
As per my understanding, if I am not part of testapiAllowList datagroup, I should not able to access URI "/tetsapi.aspx"
Kindly correct me if I am wrong
- Kevin_Stewart
The logic here seems sound. What does your data group look like?
Maybe add some logging to see what's going on.
when HTTP_REQUEST { if { [string tolower [HTTP::path]] contains "/testapi.aspx" } { if { !([matchclass [IP::client_addr] equals testapiAllowList]) } { log local0. "discarding" discard } else { log local0. "allowing" } } else { log local0. "something else" } }
- Martins_K_20579
Dear All,
I have tried below iRule with the intension to access specific URI (testapi.apsx) from specific IP which is part of testapiAllowList datagroup , however when I am trying to access URI (testapi.aspx), it is still accessible from the IP which is not part of testapiAllowList datagroup
======================= when HTTP_REQUEST { if { [string tolower [HTTP::path]] contains "/testapi.aspx" } { if { !([matchclass [IP::client_addr] equals testapiAllowList])} { discard }
==========
As per my understanding, if I am not part of testapiAllowList datagroup, I should not able to access URI "/tetsapi.aspx"
Kindly correct me if I am wrong
- Kevin_Stewart
The logic here seems sound. What does your data group look like?
Maybe add some logging to see what's going on.
when HTTP_REQUEST { if { [string tolower [HTTP::path]] contains "/testapi.aspx" } { if { !([matchclass [IP::client_addr] equals testapiAllowList]) } { log local0. "discarding" discard } else { log local0. "allowing" } } else { log local0. "something else" } }
