Forum Discussion
Hi Guys,
The "elseif" was missing a bracket. I also added the "reject" statement where if you are trying to go to the URI in the data group or URI "*/URI1/URI2/PORTAL/ADMIN" on this site, your IP must match the ones from the XFF defined in the data group. If not, it should reject. Is this correct to use the "reject" or will this deny all traffic to the site? Which is what we do not want to do. Only deny if your XFF IP does match the ones in the data group when you go the URIs on this site.
Thank you.
when HTTP_REQUEST {
if { [active_members MYPOOL-PORT-443] > 1 } {
HTTP::redirect "http://maintenance-page.company.com"
} else {
set CHECK_IP [getfield [HTTP::header values X-Forwarded-For] " " 1]
if { ([class match $CHECK_IP eq "DG-XFF-ALLOWED-IP-LIST"]) } {
if { [class match [HTTP::uri] eq "DG_RESTRICTED_URI"] } {
pool MYPOOL-PORT-443
} elseif { [class match [HTTP::uri] eq "*/URI1/URI2/PORTAL/ADMIN"] } {
HTTP::redirect "https://[HTTP::host]/SECRET/URI1/URI2/ADMIN/"
reject
}
}
}
}
- Vijay_EMar 23, 2017Cirrus
`if { [active_members MYPOOL-PORT-443] < 1 } {`
Should be less than 1 and not greater than 1
- Tony2020Mar 23, 2017Nimbostratus
hi vijay,
will the "reject" work in the code where the irule looks at the data group to match the ip obtained from the XFF header and if you go to the URI in the other data group or in the code, allow, and if your not part of the IP list, deny? otherwise allow access to the full site without restrictions? we do not want the "reject" to prevent access to the site under normal conditions if not accessing the protected URI....
thank you, tony
- Vijay_EMar 24, 2017Cirrus
Why do you need a reject after redirecting ?
Also, the idea of coming up with an iRule and running it directly on production VS is a bit disconcerting. I would recommend creating a test VS to test out the iRule before deploying it in production environment.
- Tony2020Mar 24, 2017Nimbostratus
agreed. We have a test environment that this needs to be tested in first. Just need to make sure it works before we put it in PROD. Thanks for your help!