Restriction of access to URI by IP

Question

So I'm needing to restrict access to 4 URIs by IP Address. I have created the following iRule and Datagroup. At this time, it works for the first URI in the list, but returns a 404 error for the rest of the URIs below. Is there something that I am missing, it looks like it should function normally.
Thanks

class grs_access {
   {
      network 10.0.0.0/8
      host 50.16.227.16
      network 172.16.0.0/16
      network 192.168.0.0/16
      host 204.236.236.43
   }

rule grsreg_whitelist {
   when HTTP_REQUEST {
    switch -glob [string tolower [HTTP::path]] {
        "/grda*" {
            if {not [matchclass [IP::client_addr] equals grs_access]}{
                HTTP::respond 403 content {Blocked!}
            }
        }
        "/grsupport*" {
            if {not [matchclass[IP::client_addr] equals grs_access]}{
                HTTP::respond 403 content {Blocked!}
            }
        }
        "/grreg*" {
            if {not [matchclass[IP::client_addr] equals grs_access]}{
                HTTP::respond 403 content {Blocked!}
            }
        }
        "/grrt*" {
            if {not [matchclass[IP::client_addr] equals grs_access]}{
                HTTP::respond 403 content {Blocked!}
            }
        }
    }
}
}

hooleylist · Answer

Hi Joe, 
 Are you sure about the 404?  The iRule should either send a 403 or send the request to the VS default pool.  I don't see how LTM could cause a 404 here either by rewriting the request or selecting the wrong pool. 
 Though you are missing a space between matchclass and the client IP in the last three switch cases.  That should cause a runtime TCL error and TCP reset being sent to the client.
Also, you could combine the four URIs into one switch action like this: 
 when HTTP_REQUEST {
    switch -glob [string tolower [HTTP::path]] {
        "/grda*" -
        "/grsupport*" -
        "/grreg*" -
        "/grrt*" {
            if {not [matchclass [IP::client_addr] equals grs_access]}{
                HTTP::respond 403 content {Blocked!}
            }
        }
    }
}
 
 Aaron

joe_gorman_4645 · Answer

Ah... Geez... The missing space is what did me in. Thank you for the prompt response and for the abridged version of the rule. I wasn't sure if stacking them like that would have the desired effect, but being fairly new to this your wisdom is very appreciated. 
&nbsp;  
&nbsp; Thanks

Forum Discussion

Restriction of access to URI by IP

Recent Discussions

Can you set Kerberos AAA server via session variable?

HTML Code injection Not detected by ASM

What will be happen to live and existing connections when failover HA BIG IP active-standby

SSL Offload and remove FQDN

High CPU utilization (100%).

Related Content

Restrict access to virtual server during specified time

iRule - Restricting IP addresses for a portion of URI

Accessing Different URI Paths in the same APM Session

Variable Length URI Lookup

Restrict access to VS by ip & time

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS