Forum Discussion
Pankaj_70057
Jan 26, 2012Nimbostratus
To block some specific traffic from F5 for specific virtual directory
Here is the our requirement so if possible can you send me actual iRule to fulfill this requirement. Site: https://www.xyz.com/bac Allowed below host: 174.26.53.0/24 172.56.36.2 175.63.54.0/24 Block: all others Site: https://wwww.xyz.com Allowed for any So we require only filter for /bac virtual directory all other site running without any filter.
Thanks Pankaj
- hoolioCirrostratusHi Pankaj,
when HTTP_REQUEST { switch -glob [string tolower [HTTP::path]] { "/bac*" { if {not [class match [IP::client_addr] equals allowed_hosts_dg]}{ HTTP::respond 403 content {Blocked!} } } } }
- Pankaj_70057NimbostratusI never create iRule this is first time so please can you send me acctual iRule with below example:
- Pankaj_70057NimbostratusI never create iRule this is first time so please can you send me acctual iRule with below example:
- hoolioCirrostratusYou can create the data group in the GUI under Local Traffic | iRules | Data group list | Create. Select a name of allowed_hosts_dg and a type of address. Then create the iRule using the code above and add that to the virtual server.
- Pankaj_70057Nimbostratusis this iRule works for both http and https?
- Pankaj_70057NimbostratusI am geeting error on iRule:
- hoolioCirrostratusWhich LTM version are you on? You can check in the GUI under System | General Properties | Version. If you're on 9.4.4 or higher, you can use this
when HTTP_REQUEST { Check the requested path set to lower case switch -glob [string tolower [HTTP::path]] { "/bac*" { Path started with /bac so check if client IP is in the allowed_hosts_dg data group if {not [matchclass [IP::client_addr] equals allowed_hosts_dg]}{ Send a 403 unauthorized response HTTP::respond 403 content {Blocked!} Or you could reset the TCP connection reject } } } }
when HTTP_REQUEST { Check the requested path set to lower case switch -glob [string tolower [HTTP::path]] { "/bac*" { Path started with /bac so check if client IP is in the allowed_hosts_dg data group if {not [matchclass [IP::client_addr] equals $::allowed_hosts_dg]}{ Send a 403 unauthorized response HTTP::respond 403 content {Blocked!} Or you could reset the TCP connection reject } } } }
- Pankaj_70057NimbostratusSystem is running with :BIG-IP 9.4.6 Build 401.0 Final but still getting below error, i have created the DG with BAC_ALLOWED_IP.
- hoolioCirrostratusSorry, it's matchclass not "match class". I edited the examples above with the correct command.
- Joe_Gorman_4645NimbostratusSeeing this rule is a start to what I am currently needing but I have 4 folders that the Private_nets group need access to but external clients should not be allowed. Can I nest those into different rows for each directory?
Recent Discussions
Related Content
Â
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects