URL access based on IP\LDAP

It's definitely possible. In that example, you're using a data group. You can add addresses to a data group from the config utility through Local Traffic Manager > iRules > Data Groups.

 

 

Are you trying to limit access to a specific page, or a directory?

Actually I want to limit access via ASM not LTM and only to a web site .

As far as blocking by IP goes, I've seen most people do so via LTM iRules...I'll see whether there's an option in ASM but don't recall seeing one. Any reason you're trying to avoid using LTM?

I don't think current versions of ASM allow you to restrict access by client IP, subnet or GeoIP region, etc. I'm pretty sure there is at least one request for enhancement related to this type of functionality. You could open a case with F5 Support and have your request added to the existing RFE(s).

 

 

In the meantime, you could try a few approaches:

 

 

Create an address type datagroup containing the allowed subnets/hosts and use an iRule to check for requests to /admin that aren't from an allowed IP. Rewrite the URI to something that will always get blocked in the ASM policy like /illegal_client_request_to_admin.exe (assuming you don't have .exe or wildcard filetypes allowed in your policy).

 

 

Use a separate VS which goes to a separate ASM policy that allows /admin URI access (or no policy if you trust the app administrators). Restrict access to the VS using an iRule and the same address type datagroup as you would for option one. Then block all access to /admin on your main ASM policy using an attack signature.

 

 

Aaron

Note that I like the second option better as ASM can normalize URI encoding attacks much better than we can with an iRule. This is particularly relevant if the web app is IIS based:

 

 

http://devcentral.f5.com/Forums/tabid/1082223/asg/50/showtab/groupforums/aff/5/aft/30900/afv/topic/Default.aspx

 

 

Aaron

 

No its not using IIS...but after thinking about it - why not just use the LTM as you suggested...

 

 

I have this so far but have a question: Can I add multiple URL's to check in this irule e.g. in BOLD I have adstructure/ i want to add other sites that have a login.jsp or login\password locations...

 

 

 

 

when HTTP_REQUEST { if { ([HTTP::uri] starts_with "/adstructure") and ([matchclass [IP::remote_addr] equals $$IPAddressDataGroup]) } { HTTP::redirect "https://www.xxx.com/adstructure/xxx/login.jsp/index/index/" } else { HTTP::redirect "https://www.xxx.com/" } }

 

You have a great start!

 

 

Yes, you can absolutely check as many URLs as you want. Can you elaborate on everything you'd like to check, and if there's a match, what you'd like to do with the request?

Sorry for the delay...basically i need to redirect certain externally accessible sites to internal network only. And if you are not part of the IP adress redirect you to home page. This needs to be done at F5 level... So question is how do I add multiple sites to check???

 

 

basic URL site check:

 

when HTTP_REQUEST { if { ([HTTP::uri] starts_with "/adstructure") and ([matchclass [IP::remote_addr] equals $$IPAddressDataGroup]) } { HTTP::redirect "https://www.xxx.com/adstructure/xxx/login.jsp/index/index/" } else { HTTP::redirect "https://www.xxx.com/" } }

 

 

my attempt to do multiple site lookups: ( yeah its wrong - i know)

 

when HTTP_REQUEST { if { ([HTTP::uri] starts_with "/adstructure" or starts_with "/ CiteCode or /jsp/funsite ) and ([matchclass [IP::remote_addr] equals $$IPAddressDataGroup]) } { HTTP::redirect "https://www.xxx.com/adstructure/xxx/login.jsp/index/index/" } else { HTTP::redirect "https://www.xxx.com/" } }

 

You can add multiple URI checks using a switch statement.

 

 

http://devcentral.f5.com/wiki/default.aspx/iRules/switch

 

 

Also to reference a datagroup from an iRule in 9.4.4+, remove the $:: prefix from the name (or $$ as you have it).

 

 

Aaron

I read it and I said "que??"..............care to send me what I have posted (example) so I can comprehend please??