Forum Discussion
Andrea_361
Nimbostratus
NimbostratusURI access restricted to ip subnet
hi people,
I have F5 running version 9.4.7 , I try to implement iRule in order to limit access to defined URI only to internal subnet, but i'm unable to obtain the correct result, the URI is allowed or denied without care on ip class and subnet defined.
Anyone can check my iRule syntax, and/or give me suggestion?
Thanks in advance!
the following is my iRule script:
when HTTP_REQUEST { if { [HTTP::uri] starts_with "/cms/" }{ if {not [matchclass [IP::client_addr] equals $::Agusta_internal]} { log local0. "[IP::client_addr]:[TCP::local_port]: Matched IP check. Discarding request to [HTTP::uri]" drop } } }
4 Replies
hoolioCirrostratus
Hi Andrea,
That syntax is okay, but wouldn't handle an attacker who makes a request for /nonexistent_directory/../cms/. See this post for details:
Irule for restriciting URL paths unsecure
http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&tpage=1&view=topic&postid=30900
Aaron- hoolioIs the datagroup defined as a type 'address'? Can you add more logging to the iRule and retest?
when HTTP_REQUEST { log local0. "[IP::client_addr]:[TCP::local_port]: New [HTTP::method] request to [HTTP::host][HTTP::uri]" if { [HTTP::uri] starts_with "/cms/" }{ log local0. "[IP::client_addr]:[TCP::local_port]: Matched URI check. Class contents: $::Agusta_internal" if {not [matchclass [IP::client_addr] equals $::Agusta_internal]} { log local0. "[IP::client_addr]:[TCP::local_port]: Matched IP check. Discarding request to [HTTP::uri]" drop } } }
Aaron 
Andrea_361Yes, is defined as address, tomorrow I'll be able to retest and give more info.
I'll keep you informed.
Thanks to all!- hoolioCan you test this on a test VIP so it doesn't affect any live traffic? If so, can you add the iRule example I posted above and reply with the output from /var/log/ltm?
Thanks,
Aaron
