Forum Discussion
julienmo_44816
Nimbostratus
NimbostratusURI ACL based on source ip address
Hi every body, I'am a long time reader and a first time poster :)
Can someone help me with creating a rule that can filter URI access based on IP address.
...
julienmo_44816Nimbostratus
NimbostratusHi,
After a day of working with my colleague :
when HTTP_REQUEST {
set permit "IMPLICIT DENY"
set uri_origine [HTTP::uri]
set ip_origine [IP::client_addr]
set id [class startsearch Datagrp_uri_acl_allow]
set id2 [class startsearch Datagrp_uri_acl_deny]
EXPLICIT DENY TRAFIC
while { [class anymore Datagrp_uri_acl_deny $id2] } {
set y [class nextelement Datagrp_uri_acl_deny $id2]
set ip_deny [lindex $y 0]
set uri_deny [lindex $y 1]
if { [IP::addr $ip_origine equals $ip_deny] and $uri_origine matches_regex $uri_deny }
{
set permit "DENY EXPLICIT RULE"
}
}
ALLOWED TRAFFIC
if { $permit == "IMPLICIT DENY" }
{
while { [class anymore Datagrp_uri_acl_allow $id] } {
set x [class nextelement Datagrp_uri_acl_allow $id]
set ip_allow [lindex $x 0]
set uri_allow [lindex $x 1]
if { [IP::addr $ip_origine equals $ip_allow] and $uri_origine matches_regex $uri_allow }
{
set permit "ALLOW RULE"
log local0.info "Allowed client [IP::remote_addr]:[TCP::client_port] requesting: http(s)://[HTTP::host][HTTP::path] ($permit)"
}
}
}
IMPLICIT DENY OR MATCH EXPLICIT DENY TRAFIC
if { $permit equals "IMPLICIT DENY" or $permit equals "DENY EXPLICIT RULE" }
{
HTTP::respond 403 content "Forbiden Access\
Forbiden AccessYour are not allowed to access to [HTTP::uri] "
log local0.info "Denied Access client [IP::remote_addr]:[TCP::client_port] requesting: https(s)://[HTTP::host][HTTP::path] ($permit)"
}
}