Forum Discussion

smiley_dba_1116's avatar
smiley_dba_1116
Icon for Nimbostratus rankNimbostratus
Jun 21, 2012

Whitelist a iRule, otherwise redirect

Need some help creating an iRule. The idea is that I have a VS, and I will be associating a iRule to do a redirect, but I dont want to do a redirect if a the IP/Subnet is in the iRule data group. I think I have something close, but would like someones feedback.

 

 

 

when HTTP_REQUEST {

 

if { ([matchclass [IP::remote_addr] equals $::Whitelist_Sorry]) } {

 

pass

 

}

 

elseif { ([matchclass [IP::remote_addr] equals $::epp-test]) } {

 

HTTP::redirect http://sorry.********.ca/

 

}

 

}

 

 

 

 

 

 

 

 

This idea is, if you are in Whitelist_Sorry iRule data group, pass through, otherwise, redirect to a the sorry page. Thoughts?

 

application delivery
dev
devops
iRules
  • smiley_dba_1116's avatar
    smiley_dba_1116
    Icon for Nimbostratus rankNimbostratus
    Jun 21, 2012
    So if you are in the whitelist, allow access to the Virtual server. If you are not in the whitelist, redirect.
  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Jun 21, 2012
    smiley_dba,

     

     

    As I've learned recently, in this type of case it's simpler (and a shorter irule) to use Not. So, if you're not in the whitelist redirect. This is because a similar post came up very recently (https://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/50/aft/2163192/showtab/groupforums/Default.aspx).

     

     

    Also, not sure what version you're running but know that matchlass was deprecated in v10 by class match. Two examples below.

     

     

    v9.x

     

     

    when HTTP_REQUEST {

     

    if {not ([matchclass [IP::remote_addr] equals $::Whitelist_Sorry]) } {

     

    HTTP::redirect "http://sorry.********.ca/"

     

    }

     

    }

     

     

    v10.x

     

     

    when HTTP_REQUEST {

     

    if {not ([class match [IP::remote_addr] equals Whitelist_Sorry]) } {

     

    HTTP::redirect "http://sorry.********.ca/"

     

    }

     

    }

     

     

    Hope these work for you.

     

     

    N
  • smiley_dba_1116's avatar
    smiley_dba_1116
    Icon for Nimbostratus rankNimbostratus
    Jun 21, 2012
    Thanks Nathan. Having an issue with the Whitelist_Sorry subnets trying to NOT get the redirect, as they are getting the redirect with everyone else.
  • smiley_dba_1116's avatar
    smiley_dba_1116
    Icon for Nimbostratus rankNimbostratus
    Jun 21, 2012
     class Whitelist_Sorry {
   {
      host 10.10.5.139
      network 172.16.0.0/16
   }
}

    So I added my own IP address to the except list so that I can browse the website, but instead I get a redirect.
  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Jun 21, 2012
    To avoid a problem with context could you try IP::client_addr instead of remote_addr?
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Jun 22, 2012
    If you're on 9.4.4 or higher make sure to remove the $:: prefix from the data group name. You can add debug logging to figure out why the iRule isn't working. Here's a version 10 or higher example: 

    
when HTTP_REQUEST {
if { [class match [IP::client_addr] equals Whitelist_Sorry] } { 
log local0. "[IP::client_addr]:[TCP::client_port]: Client is in data group so do not redirect. DG: [class get Whitelist_Sorry]"
} else {
log local0. "[IP::client_addr]:[TCP::client_port]: Client is not in data group so redirect"
HTTP::redirect 
}
}

    Also, [IP::client_addr] and [IP::remote_addr] will return the same value in clientside events like CLIENT_ACCEPTED and HTTP_REQUEST.

    Aaron