Restriction of access to URI by IP

Question

So I'm needing to restrict access to 4 URIs by IP Address. I have created the following iRule and Datagroup. At this time, it works for the first URI in the list, but returns a 404 error for the rest of the URIs below. Is there something that I am missing, it looks like it should function normally.
Thanks

class grs_access {
   {
      network 10.0.0.0/8
      host 50.16.227.16
      network 172.16.0.0/16
      network 192.168.0.0/16
      host 204.236.236.43
   }

rule grsreg_whitelist {
   when HTTP_REQUEST {
    switch -glob [string tolower [HTTP::path]] {
        "/grda*" {
            if {not [matchclass [IP::client_addr] equals grs_access]}{
                HTTP::respond 403 content {Blocked!}
            }
        }
        "/grsupport*" {
            if {not [matchclass[IP::client_addr] equals grs_access]}{
                HTTP::respond 403 content {Blocked!}
            }
        }
        "/grreg*" {
            if {not [matchclass[IP::client_addr] equals grs_access]}{
                HTTP::respond 403 content {Blocked!}
            }
        }
        "/grrt*" {
            if {not [matchclass[IP::client_addr] equals grs_access]}{
                HTTP::respond 403 content {Blocked!}
            }
        }
    }
}
}

hoolio · Answer

Hi Joe, 
 Are you sure about the 404?  The iRule should either send a 403 or send the request to the VS default pool.  I don't see how LTM could cause a 404 here either by rewriting the request or selecting the wrong pool. 
 Though you are missing a space between matchclass and the client IP in the last three switch cases.  That should cause a runtime TCL error and TCP reset being sent to the client.
Also, you could combine the four URIs into one switch action like this: 
 when HTTP_REQUEST {
    switch -glob [string tolower [HTTP::path]] {
        "/grda*" -
        "/grsupport*" -
        "/grreg*" -
        "/grrt*" {
            if {not [matchclass [IP::client_addr] equals grs_access]}{
                HTTP::respond 403 content {Blocked!}
            }
        }
    }
}
 
 Aaron

joe_gorman_4645 · Answer

Ah... Geez... The missing space is what did me in. Thank you for the prompt response and for the abridged version of the rule. I wasn't sure if stacking them like that would have the desired effect, but being fairly new to this your wisdom is very appreciated. 
&nbsp;  
&nbsp; Thanks

Forum Discussion

Restriction of access to URI by IP

2 Replies

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

VIP in https that redirect to another vip in https

VIP is not responding on SYN after enabling other modules like ASM, APM and AFM.

Unblock Request WAF

F5OS login with admin/root failed via console

TLS handshake failure from BIG-IP to backend – Fatal Alert: Decode Error (Server SSL)

Related Content

Irule for restricting access

Office 365 Tenant Restrictions

Restricting Access to Virtual from client IP address in X-Forwarder-For HTTP header

Restrict Access to Exchange Administrative Center - Enhanced

Restricting direct access from public IP

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS