For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

JP_42120's avatar
JP_42120
Icon for Nimbostratus rankNimbostratus
Dec 02, 2014

Trying to add more restrictions to exiting iRule with flags

Hi, we are trying to additional restrictions based on new IP and URL to existing rule... Below is an example of our current and also NEW iRule. does this look right? is there a better way to do th...
Brad_Parker_139's avatar
Brad_Parker_139
Icon for Nacreous rankNacreous
Dec 02, 2014

Try something like below. It should be less complicated and more efficient.

when HTTP_REQUEST { if { [HTTP::host] starts_with "foo.com" } {
    If URI start with /gel/ or /water/ validate allowed IP and send it to the pool or redirect
    if { [HTTP::uri] starts_with "/gel/" || [HTTP::uri] equals "/water/" } {
        if { [class match [IP::client_addr] equals allow_address_data_group ] } {
            pool secure_80_pool
        }
        else {
            HTTP::redirect "http://deafult-internal.net"
        }
    }
    If URI start with /new-URIr/ validate allowed IP and send it to the pool or redirect
    elseif { [HTTP::uri] starts_with "/new-URI/" } {
        if { [class match [IP::client_addr] equals new_allow_address_data_group ] } {
            pool secure_80_pool
        }
        else {
            HTTP::redirect "http://deafult-internal.net"
        }
    }
    Redirect all other URI
    else {
        HTTP::redirect "http://www.default-external"
    }
}
  • Brad_Parker_139's avatar
    Brad_Parker_139
    Icon for Nacreous rankNacreous
    Dec 02, 2014
    Missed a bracket when HTTP_REQUEST { if { [HTTP::host] starts_with "foo.com" } { If URI start with /gel/ or /water/ validate allowed IP and send it to the pool or redirect if { [HTTP::uri] starts_with "/gel/" || [HTTP::uri] equals "/water/" } { if { [class match [IP::client_addr] equals allow_address_data_group ] } { pool secure_80_pool } else { HTTP::redirect "http://deafult-internal.net" } } If URI start with /new-URIr/ validate allowed IP and send it to the pool or redirect elseif { [HTTP::uri] starts_with "/new-URI/" } { if { [class match [IP::client_addr] equals new_allow_address_data_group ] } { pool secure_80_pool } else { HTTP::redirect "http://deafult-internal.net" } } Redirect all other URI else { HTTP::redirect "http://www.default-external" } } }
  • JP_42120's avatar
    JP_42120
    Icon for Nimbostratus rankNimbostratus
    Dec 02, 2014
    Hi Brad, thank you. I will try this format. We actually have 10+ URIs in the first filter. I guess it would look like below if we needed to add more. (I'm still new with iRules) :D adding additional URI's in the filter if { [HTTP::uri] starts_with "/gel/" || [HTTP::uri] equals "/water/" || [HTTP::uri] equals "/dirt/" || [HTTP::uri] equals "/sky/ || [HTTP::uri] equals "/etc/"................}