Forum Discussion

CraigWoo's avatar
CraigWoo
Icon for Nimbostratus rankNimbostratus
Sep 24, 2022

simple redirect irule based off ip

Hi All

I am very new to irules as we just got our first big-ip this week and have a rookie question for you.

I'm trying to redirect a sub-section of a site that I have got working with

when HTTP_REQUEST {
if { [string tolower [HTTP::uri]] starts_with "/restricted1" } {
HTTP::redirect "https://demo.com/not-allowed"
}
}

I have a requirement that if the matches say 10.2.2.0/24 then allow the connection still.

when HTTP_REQUEST {
if {[IP::addr 10.2.2.0/24 equals [IP::client_addr]]}
{ HTTP::redirect [HTTP::uri] }
else
{ HTTP::redirect HTTP::redirect "https://demo.com/not-allowed" }
}

I can't seem to get it working without affecting the whole site as I'm just after redirecting the /restricted part, Any pointers or if I'm doing this the wrong way?

Peace

application delivery
  • CA_Valli's avatar
    CA_Valli
    Sep 26, 2022

    Hello, how many networks do you need to match? 

    For allowing multiple client networks you'll need a data group. 

    See this example below - note that "getfield" returns a string so I'm changing the format to IP address using IP::addr .

     

    when HTTP_REQUEST {
  if {[string tolower [HTTP::uri]] starts_with "/restricted1" }{

   if { [IP::addr [getfield [IP::client_addr] "%" 1] equals "10.2.2.0/24"]}{
       #this is a sample with a static client network
       return
    } elseif { [class match [getfield [IP::client_addr] "%" 1] equals datagroup_allowed_networks] } {
    #when you have multiple subnet to match, then it is recommended to use data-group created as Address (IP) type. 
       return
    } else {
      HTTP::redirect "https://demo.com/not-allowed"
    }
}

     

  • CA_Valli's avatar
    CA_Valli
    Icon for MVP rankMVP
    Sep 26, 2022

    Hello, how many networks do you need to match? 

    For allowing multiple client networks you'll need a data group. 

    See this example below - note that "getfield" returns a string so I'm changing the format to IP address using IP::addr .

     

    when HTTP_REQUEST {
  if {[string tolower [HTTP::uri]] starts_with "/restricted1" }{

   if { [IP::addr [getfield [IP::client_addr] "%" 1] equals "10.2.2.0/24"]}{
       #this is a sample with a static client network
       return
    } elseif { [class match [getfield [IP::client_addr] "%" 1] equals datagroup_allowed_networks] } {
    #when you have multiple subnet to match, then it is recommended to use data-group created as Address (IP) type. 
       return
    } else {
      HTTP::redirect "https://demo.com/not-allowed"
    }
}

     

    • CraigWoo's avatar
      CraigWoo
      Icon for Nimbostratus rankNimbostratus
      Oct 06, 2022

      Thanks, CA_Valli

      Just the one for now, ive removed the data group for now and seems to be working will do some more testing and let you know. Thanks heaps for this

      • CA_Valli's avatar
        CA_Valli
        Icon for MVP rankMVP
        Oct 07, 2022

        Happy to help, if this helped resolve issue please "accept solution" for my previous message so that this thread is closed and it's easier for other users with similar problem to find it. 

  • CraigWoo's avatar
    CraigWoo
    Icon for Nimbostratus rankNimbostratus
    Oct 25, 2022

    Thanks, Have updated now. this worked in the lab for our ECP portal

     

    when HTTP_REQUEST {
  if {[string tolower [HTTP::uri]] starts_with "/ecp"}{

   if { [class match [getfield [IP::client_addr] "%" 1] equals ecp-access] }{
       #this is a sample with a static client network
       return
    } else {
      HTTP::redirect "https://wwww.testwebsite.com/not-allowed"
    }
}
}