Using X-Forwarded-for to block Clients based on URI information

Question

I have task to block client IP's based on URI information but the catch here is that the actual IP's are present on HTTP header (X-forwarded-For) which are all coming from Akamai.
Eg: I have approx 40 IP's which needs to be allowed to access any URI that starts with "/en_US/HHCM*". Rest needs to be blocked. 
";
I had written an irule to block directy the IP but I need to modify it. Can you help?
when HTTP_REQUEST {
 Check for requests to the restricted URI
if { [string tolower [HTTP::uri]] starts_with "/en_US/HHCM"} {

Check if the client IP is not in the allowed clients data group
    if {[class match [IP::client_addr] equals AllowList]}{

log local0. "dropped [IP::client_addr]"

Reset the connection
            drop                            
    }

}

rsacheen_310098 · Answer

How do you like to modify your iRule? The code snippet you have provided looks fine syntax wise, but it blocks access from IP's in your AllowList. How about something like this:-  
&nbsp;
when HTTP_REQUEST {
  if { [HTTP::uri] equals "/en_US/HHCM" &amp;&amp; !([IP::addr [IP::client_addr] equals AllowList]) } {
      log output
     reject
  } else {
      Send traffic to your desired server pool
  }
}

Just an example. Correct me if I misunderstood your query.&nbsp;
Connection from client IP's [IP::client_addr] that are not in your data group(AllowList) gets blocked. &nbsp;

rsacheen · Answer

How do you like to modify your iRule? The code snippet you have provided looks fine syntax wise, but it blocks access from IP's in your AllowList. How about something like this:-  
&nbsp;
when HTTP_REQUEST {
  if { [HTTP::uri] equals "/en_US/HHCM" &amp;&amp; !([IP::addr [IP::client_addr] equals AllowList]) } {
      log output
     reject
  } else {
      Send traffic to your desired server pool
  }
}

Just an example. Correct me if I misunderstood your query.&nbsp;
Connection from client IP's [IP::client_addr] that are not in your data group(AllowList) gets blocked. &nbsp;

parvez_70211 · Answer

But I would need to block actual client IP based on HTTP-X-Forwarded IP and not at [IP::client_addr]. So I would need to extract the IP present on the header first and then match against our allowed IP data group.

parvez_70211 · Answer

But I would need to block actual client IP based on HTTP-X-Forwarded IP and not at [IP::client_addr]. So I would need to extract the IP present on the header first and then match against our allowed IP data group.

parvez_70211 · Answer

Connection from client IP's  that are not in your data group(AllowList) gets blocked. - correct&nbsp;

Forum Discussion

Using X-Forwarded-for to block Clients based on URI information

Recent Discussions

AS3 Limitations

Help needed with iRule (connection closed log )

Use of SSL Decryption.

VLAN Failsafe Functionality

FTP PASV mode to Extended Passive mode

Related Content

Restricting Access to Virtual from client IP address in X-Forwarder-For HTTP header

Extracting X-Forwarded-For in Node.js

TCP Option 28 X-Forwarded-For Header

X-Forwarded-For Log Filter for Windows Servers

X Forwarded For Single Header Insert

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS