For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

8 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jul 11, 2014

    Try this:

    when HTTP_REQUEST {
    if { ( string tolower [HTTP::host]] equals "sample.com" ) and ( [string tolower [HTTP::uri]] starts_with "/xyz-ws" ) } {
        if { [class match [IP::client_addr] equals my_internal_ips] } {
            return
        } else {
            drop
        }
    }
}
  • Greg_Donohoe_25's avatar
    Greg_Donohoe_25
    Icon for Nimbostratus rankNimbostratus
    Jul 11, 2014

    Thank you for your answer Kevin but wont that irule redirect all connections with my_internal_ips to sample.com/xyz-ws and then drop any other connection? What I want to do is allow all connections with my_internal_ips to access any URL's on that server ie sample.com/abc, sample.com/def and then redirect any other connections with other IP (public) to /xyz-ws only.

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jul 11, 2014

    The above basically says: 

    if the URI is /xyz-ws
    if the client is internal - allow
    if the client is external - drop
else
    allow all

    In other words, it only does the IP evaluation if the client requests this specific URL. You didn't mention a redirect in the original post.

  • Greg_Donohoe_25's avatar
    Greg_Donohoe_25
    Icon for Nimbostratus rankNimbostratus
    Jul 11, 2014

    Yes sorry Kevin you are right I did not explain it very well in the original post. I am looking to do a URI redirect based on source IP. if the source IP is my_internal_ip then these connections have access to all URLs on the backend server. But, external IP can only access the specific URL http://sample.com/xyz-ws if the URI is /xyz-ws if the client is internal allow if the client is external allow

     

    if the URI is /anythingelse if the client is internal allow if the client is internal drop

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jul 11, 2014

    Okay then:

    when HTTP_REQUEST {
    if { [class match [IP::client_addr] equals my_internal_ips] } {
        return
    } else {
        if { [string tolwer [HTTP::uri]] equals "/xyz-ws" } {
            return
        } else {
            HTTP::redirect "https://[HTTP::host]/xyz-ws"
        }
    }
}
  • Greg_Donohoe_25's avatar
    Greg_Donohoe_25
    Icon for Nimbostratus rankNimbostratus
    Jul 11, 2014

    *if the URI is /anythingelse if the client is internal allow if the client is external drop

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jul 11, 2014
    when HTTP_REQUEST {
    if { [class match [IP::client_addr] equals my_internal_ips] } {
        return
    } else {
        if { [string tolwer [HTTP::uri]] equals "/xyz-ws" } {
            return
        } else {
            drop
        }
    }
}

    This says, for all internal clients, return and allow. For external clients, if the URI is /xyz-ws, return and allow, else drop.

  • Greg_Donohoe_25's avatar
    Greg_Donohoe_25
    Icon for Nimbostratus rankNimbostratus
    Jul 11, 2014

    That is what I am looking for kevin. Thank you very much for your input and sorry for the initial confusion.