Forum Discussion

julienmo_44816's avatar
Icon for Nimbostratus rankNimbostratus
Feb 16, 2012

URI ACL based on source ip address

Hi every body, I'am a long time reader and a first time poster :)



Can someone help me with creating a rule that can filter URI access based on IP address.



Something like




userIP1 can access /userDIR1


userIP2 can access /userDIR2


userIP3 can access /userDIR3


anyIP can access /publicDIR


default drop





I'am inspired by this solution :




But I would like to normalised the Irule for using it whith some virtual server, and use a file :




I would like to build a Datagroup file like :
















user_IP10:=USER_DIR10 ==> There may have same IP for some URIs and same URI for some IPs






This file will be pushed by a server with ssh protocol. There will be a lot of entry...




But I don't have any idea to use this fille (build array ?, use loop foreach) ? Do you have some bigening of solution ?




Do you have other solution that wich I propose ?




Thanks a lot !


3 Replies

  • Hi,

    After a day of working with my colleague :

    when HTTP_REQUEST {
    set permit "IMPLICIT DENY"
    set uri_origine [HTTP::uri]
    set ip_origine [IP::client_addr]
    set id [class startsearch Datagrp_uri_acl_allow]
    set id2 [class startsearch Datagrp_uri_acl_deny]
    while { [class anymore Datagrp_uri_acl_deny $id2] } {
    set y [class nextelement Datagrp_uri_acl_deny $id2]
    set ip_deny [lindex $y 0]
    set uri_deny [lindex $y 1]
    if { [IP::addr $ip_origine equals $ip_deny] and $uri_origine matches_regex $uri_deny }
    set permit "DENY EXPLICIT RULE"
    if { $permit == "IMPLICIT DENY" }
    while { [class anymore Datagrp_uri_acl_allow $id] } {
    set x [class nextelement Datagrp_uri_acl_allow $id]
    set ip_allow [lindex $x 0]
    set uri_allow [lindex $x 1]
    if { [IP::addr $ip_origine equals $ip_allow] and $uri_origine matches_regex $uri_allow }
    set permit "ALLOW RULE" 
     log "Allowed client [IP::remote_addr]:[TCP::client_port] requesting: http(s)://[HTTP::host][HTTP::path] ($permit)"
    if { $permit equals "IMPLICIT DENY" or $permit equals "DENY EXPLICIT RULE" }
    HTTP::respond 403 content "Forbiden Access\
    Forbiden AccessYour are not allowed to access to [HTTP::uri] "
    log "Denied Access client [IP::remote_addr]:[TCP::client_port] requesting: https(s)://[HTTP::host][HTTP::path] ($permit)"
  • i think another problem is about how to reload external data group after file has been updated.



    as far as i know, it can be done using icontrol.



    Forcing a reload of External Data Groups within an iRule by Joe




    the other idea coming to my mind is to use sideband connection to retrieve data instead of data group. i think it should look like what George does in article below.



    Populating Tables With CSV Data Via Sideband Connections by George

  • For reloading file with ssh, I use those commande :



    tmsh modify /ltm data-group Datagrp_uri_acl_allow external-file-name /var/class/uri_acl_allow-list


    tmsh modify /ltm data-group Datagrp_uri_acl_deny external-file-name /var/class/uri_acl_deny-list


    tmsh save /sys config