Forum Discussion
Nolan_Jensen
Cirrostratus
CirrostratusSource IP and http path restriction via irule or LTM policy
I am trying to figure out the best way to accomplish the below scenario so any help you can provide would be greatly appreciated. I would like to be able to allow and block certain IP's and htt...
Hi Nolan Jensen,
Only rule2 is enough. I think, wildcard characters not working in policy. I'm not sure. You can use "starts with" instead of "is", and remove wildcard (*).
iRule:
when HTTP_REQUEST {
if { not ([class match [IP::client_addr] equals nolan_test]) } {
switch -glob [string tolower [HTTP::uri]] {
"/maintenancepagedev/swagger/*" -
"/maintenancepagedev/api/remove/*" -
"/maintenancepagedev/api/update/*" -
"/maintenancepagedev/api/set/*" -
"/treecoupondev/*" {
# log local0. "Uri: [HTTP::uri] ClientIP: [IP::client_addr]"
reject
}
default {
# log local0. "Uri: [HTTP::uri] ClientIP: [IP::client_addr]"
}
}
}
}
Nolan_JensenCirrostratus
CirrostratusThank you very much for the response!
I tried just that rule of the policy but didn't seem to work. I was still able to access uri's that I didn't want to access from an IP that was not in my data group list.
I also tried the irule you provided and it seems to be working with my initial testing.
Typically when doing a irule to allow or reject access to a VS based on source IP I have done the client accepted method below.
- Is the client accepted a better way to do source ip via irule?
- if so can my irule combine both of them and get the same logic to work?
when CLIENT_ACCEPTED {
if { not [class match [IP::client_addr] equals nolan_test] } {
reject
}
}
