Forum Discussion
URI restriction using data group list
Hi, I am looking for advice on the correct syntax to create an irule which allows the following: Internal access permitted to all server URI's with no restrictions on access but externally ONLY http://sample.com/XYZ-WS can be accessed.
I have created a data group list which lists all of my internal networks.
8 Replies
- Kevin_Stewart
Employee
Try this:
when HTTP_REQUEST { if { ( string tolower [HTTP::host]] equals "sample.com" ) and ( [string tolower [HTTP::uri]] starts_with "/xyz-ws" ) } { if { [class match [IP::client_addr] equals my_internal_ips] } { return } else { drop } } } - Greg_Donohoe_25
Nimbostratus
Thank you for your answer Kevin but wont that irule redirect all connections with my_internal_ips to sample.com/xyz-ws and then drop any other connection? What I want to do is allow all connections with my_internal_ips to access any URL's on that server ie sample.com/abc, sample.com/def and then redirect any other connections with other IP (public) to /xyz-ws only.
- Kevin_Stewart
Employee
The above basically says:
if the URI is /xyz-ws if the client is internal - allow if the client is external - drop else allow allIn other words, it only does the IP evaluation if the client requests this specific URL. You didn't mention a redirect in the original post.
- Greg_Donohoe_25
Nimbostratus
Yes sorry Kevin you are right I did not explain it very well in the original post. I am looking to do a URI redirect based on source IP. if the source IP is my_internal_ip then these connections have access to all URLs on the backend server. But, external IP can only access the specific URL http://sample.com/xyz-ws if the URI is /xyz-ws if the client is internal allow if the client is external allow
if the URI is /anythingelse if the client is internal allow if the client is internal drop
- Kevin_Stewart
Employee
Okay then:
when HTTP_REQUEST { if { [class match [IP::client_addr] equals my_internal_ips] } { return } else { if { [string tolwer [HTTP::uri]] equals "/xyz-ws" } { return } else { HTTP::redirect "https://[HTTP::host]/xyz-ws" } } } - Greg_Donohoe_25
Nimbostratus
*if the URI is /anythingelse if the client is internal allow if the client is external drop
- Kevin_Stewart
Employee
when HTTP_REQUEST { if { [class match [IP::client_addr] equals my_internal_ips] } { return } else { if { [string tolwer [HTTP::uri]] equals "/xyz-ws" } { return } else { drop } } }This says, for all internal clients, return and allow. For external clients, if the URI is /xyz-ws, return and allow, else drop.
- Greg_Donohoe_25
Nimbostratus
That is what I am looking for kevin. Thank you very much for your input and sorry for the initial confusion.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com