Forum Discussion

Jack_Anderson_3's avatar
Jack_Anderson_3
Icon for Nimbostratus rankNimbostratus
Oct 06, 2009

URL Whitelist

I'm looking for an irule which will allow a host IP or network to access only specified url's through a proxy server. The LTM is sitting between the client PC's and the squid proxy servers and is doing SNAT on the source IP's.
application delivery
dev
devops
iRules
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Oct 06, 2009
    You could potentially do this on LTM, but it might be easier to do on Squid. You could configure LTM to strip out any existing XFF instances and then insert its own X-Forwarded-For header in the HTTP profile and then configure Squid to perform the destination URI (or path) and/or IP based restrictions. To do this, you'd configure a custom HTTP profile with the "header to erase" option as "X-Forwarded-For" and the "Header to Insert" option as "X-Forwarded-For: [IP::client_addr]".

    Here is an example iRule which would check the client IP address against a datagroup. For restricted clients, each HTTP request would be checked to see if the requested path is listed in a whitelist datagroup of allowed paths.

    If the clients make requests with an absolute URL you might need to replace [HTTP::path] with logic which parses the host and path from the URI. For example, the request line might be:

    GET http://www.example.com/path/to/file.ext?param=value HTTP/1.1

    or possibly the more typical format of

    GET /path/to/file.ext?param=value HTTP/1.1

    You can use the URI:: commands to parse the absolute URL format:

    URI wiki page

    http://devcentral.f5.com/wiki/default.aspx/iRules/uri 

     
 when CLIENT_ACCEPTED { 
  
     Check if client IP address is in the hosts_to_restrict datagroup 
    if {[matchclass [IP::client_addr] equals $::hosts_to_restrict]}{ 
  
        Client was in datagroup 
       set check_path 1 
  
    } else { 
  
        Client was not in datagroup 
       set check_path 0 
    } 
 } 
 when HTTP_REQUEST { 
  
     Check URI if the client IP was in the datagroup 
    if {$check_path}{ 
  
        Check if path is not in whitelist datagroup 
       if {[matchclass [string tolower [HTTP::path]] equals $::allowed_paths]}{ 
  
           Drop request? 
  drop 
  
           Reject TCP connection? 
  reject 
  
           Send HTTP response? 
  HTTP::respond 401 
       } 
    } 
 }

    Aaron
  • The_Bhattman's avatar
    The_Bhattman
    Icon for Nimbostratus rankNimbostratus
    Oct 06, 2009
    Another option is to deploy pac files. They can control where the client can go w/o relying on the iRule. The pac file would be processed by the client.

     

     

    (Click here) and (Click here) to see further discussions about it.