URL Whitelist

You could potentially do this on LTM, but it might be easier to do on Squid. You could configure LTM to strip out any existing XFF instances and then insert its own X-Forwarded-For header in the HTTP profile and then configure Squid to perform the destination URI (or path) and/or IP based restrictions. To do this, you'd configure a custom HTTP profile with the "header to erase" option as "X-Forwarded-For" and the "Header to Insert" option as "X-Forwarded-For: [IP::client_addr]".

Here is an example iRule which would check the client IP address against a datagroup. For restricted clients, each HTTP request would be checked to see if the requested path is listed in a whitelist datagroup of allowed paths.

If the clients make requests with an absolute URL you might need to replace [HTTP::path] with logic which parses the host and path from the URI. For example, the request line might be:

GET http://www.example.com/path/to/file.ext?param=value HTTP/1.1

or possibly the more typical format of

GET /path/to/file.ext?param=value HTTP/1.1

You can use the URI:: commands to parse the absolute URL format:

URI wiki page

http://devcentral.f5.com/wiki/default.aspx/iRules/uri

 
 when CLIENT_ACCEPTED { 
  
     Check if client IP address is in the hosts_to_restrict datagroup 
    if {[matchclass [IP::client_addr] equals $::hosts_to_restrict]}{ 
  
        Client was in datagroup 
       set check_path 1 
  
    } else { 
  
        Client was not in datagroup 
       set check_path 0 
    } 
 } 
 when HTTP_REQUEST { 
  
     Check URI if the client IP was in the datagroup 
    if {$check_path}{ 
  
        Check if path is not in whitelist datagroup 
       if {[matchclass [string tolower [HTTP::path]] equals $::allowed_paths]}{ 
  
           Drop request? 
  drop 
  
           Reject TCP connection? 
  reject 
  
           Send HTTP response? 
  HTTP::respond 401 
       } 
    } 
 } 
 

Aaron