Forum Discussion
NimbostratusURI ACL based on source ip address
Can someone help me with creating a rule that can filter URI access based on IP address.
Something like
I'am inspired by this solution :
http://devcentral.f5.com/Community/...fault.aspx
But I would like to normalised the Irule for using it whith some virtual server, and use a file :
I would like to build a Datagroup file like :
user_IP1:=USER_DIR1
user_IP1:=USER_DIR2
user_IP1:=USER_DIR3
user_IP2:=USER_DIR1
user_IP2:=USER_DIR2
user_IP10:=USER_DIR10 ==> There may have same IP for some URIs and same URI for some IPs
This file will be pushed by a server with ssh protocol. There will be a lot of entry...
But I don't have any idea to use this fille (build array ?, use loop foreach) ? Do you have some bigening of solution ?
Do you have other solution that wich I propose ?
Thanks a lot !
3 Replies
julienmo_44816Hi,
After a day of working with my colleague :when HTTP_REQUEST { set permit "IMPLICIT DENY" set uri_origine [HTTP::uri] set ip_origine [IP::client_addr] set id [class startsearch Datagrp_uri_acl_allow] set id2 [class startsearch Datagrp_uri_acl_deny] EXPLICIT DENY TRAFIC while { [class anymore Datagrp_uri_acl_deny $id2] } { set y [class nextelement Datagrp_uri_acl_deny $id2] set ip_deny [lindex $y 0] set uri_deny [lindex $y 1] if { [IP::addr $ip_origine equals $ip_deny] and $uri_origine matches_regex $uri_deny } { set permit "DENY EXPLICIT RULE" } } ALLOWED TRAFFIC if { $permit == "IMPLICIT DENY" } { while { [class anymore Datagrp_uri_acl_allow $id] } { set x [class nextelement Datagrp_uri_acl_allow $id] set ip_allow [lindex $x 0] set uri_allow [lindex $x 1] if { [IP::addr $ip_origine equals $ip_allow] and $uri_origine matches_regex $uri_allow } { set permit "ALLOW RULE" log local0.info "Allowed client [IP::remote_addr]:[TCP::client_port] requesting: http(s)://[HTTP::host][HTTP::path] ($permit)" } } } IMPLICIT DENY OR MATCH EXPLICIT DENY TRAFIC if { $permit equals "IMPLICIT DENY" or $permit equals "DENY EXPLICIT RULE" } { HTTP::respond 403 content "Forbiden Access\ Forbiden AccessYour are not allowed to access to [HTTP::uri] " log local0.info "Denied Access client [IP::remote_addr]:[TCP::client_port] requesting: https(s)://[HTTP::host][HTTP::path] ($permit)" } }- nitass
Employee
i think another problem is about how to reload external data group after file has been updated.
as far as i know, it can be done using icontrol.
Forcing a reload of External Data Groups within an iRule by Joe
http://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/33/Forcing-a-reload-of-External-Data-Groups-within-an-iRule.aspx
the other idea coming to my mind is to use sideband connection to retrieve data instead of data group. i think it should look like what George does in article below.
Populating Tables With CSV Data Via Sideband Connections by George
http://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/1088515/Populating-Tables-With-CSV-Data-Via-Sideband-Connections.aspx - julienmo_44816For reloading file with ssh, I use those commande :
tmsh modify /ltm data-group Datagrp_uri_acl_allow external-file-name /var/class/uri_acl_allow-list
tmsh modify /ltm data-group Datagrp_uri_acl_deny external-file-name /var/class/uri_acl_deny-list
tmsh save /sys config
