Forum Discussion

Nolan_Jensen's avatar
Nolan_Jensen
Icon for Cirrostratus rankCirrostratus
Sep 24, 2019

Source IP and http path restriction via irule or LTM policy

I am trying to figure out the best way to accomplish the below scenario so any help you can provide would be greatly appreciated.     I would like to be able to allow and block certain IP's and htt...
application delivery
iRules
LTM
LTM Policies
Enes_Afsin_Al's avatar
Enes_Afsin_Al
Icon for MVP rankMVP

Hi Nolan Jensen,

Only rule2 is enough. I think, wildcard characters not working in policy. I'm not sure. You can use "starts with" instead of "is", and remove wildcard (*).

iRule:

when HTTP_REQUEST {
	if { not ([class match [IP::client_addr] equals nolan_test]) } {
		switch -glob [string tolower [HTTP::uri]] {
			"/maintenancepagedev/swagger/*" -
			"/maintenancepagedev/api/remove/*" -
			"/maintenancepagedev/api/update/*" -
			"/maintenancepagedev/api/set/*" -
			"/treecoupondev/*" {
				# log local0. "Uri: [HTTP::uri] ClientIP: [IP::client_addr]"
				reject
			}
			default {
				# log local0. "Uri: [HTTP::uri] ClientIP: [IP::client_addr]"
			}
		}
	}
}
Nolan_Jensen's avatar
Nolan_Jensen
Icon for Cirrostratus rankCirrostratus
Sep 24, 2019

Thank you very much for the response!

I tried just that rule of the policy but didn't seem to work. I was still able to access uri's that I didn't want to access from an IP that was not in my data group list.

I also tried the irule you provided and it seems to be working with my initial testing.

Typically when doing a irule to allow or reject access to a VS based on source IP I have done the client accepted method below.

  1. Is the client accepted a better way to do source ip via irule?
  2. if so can my irule combine both of them and get the same logic to work? 
when CLIENT_ACCEPTED {
	if { not [class match [IP::client_addr] equals nolan_test] } {
	reject
	}
}