XForwarder

Question

I have a webpage that needs to be accessed by a certain subnets in the internal network,  however when the users access the URL it goes via proxy and i have to permit the proxy on the Datagroup, can some please help with the below irule

when HTTP_REQUEST { 
     betlivecms.aspx must only be accessible from internal network
    if { ([string tolower [HTTP::uri]] contains "/maintenance/cms.aspx") and not ([matchclass [IP::client_addr] equals $::betlive_allowed_ip])} {
       log locally and discard
      log local0. "Source IP is [IP::client_addr] and X-Forward-For is [_HTTP::header "X-Forwarded-For"]"  
      log local0. "Untrusted IP ([IP::client_addr]) attempting to access secure path ([HTTP::uri])"
      discard
     NameMatchingService.svc must only be accessible from internal network
    } elseif {([string tolower [HTTP::uri]] contains "/maintenancewcf/namematchingservice.svc") and not ([matchclass [IP::client_addr] equals $::betlive_allowed_ip])} {
       log locally and discard
      log local0. "Untrusted IP ([IP::client_addr]) attempting to access secure path ([HTTP::uri])"
      discard
}
}

iamczar_12961 · Answer

Hi Sydneysider! 
&nbsp;  
&nbsp; I noticed that you are discarding everything? 
&nbsp;  
&nbsp; if { ([string tolower [HTTP::uri]] contains "/maintenance/cms.aspx") and not ([matchclass [IP::client_addr] equals $::betlive_allowed_ip])} {  ====&gt; discard 
&nbsp; elseif ([string tolower [HTTP::uri]] contains "/maintenancewcf/namematchingservice.svc") and not ([matchclass [IP::client_addr] equals $::betlive_allowed_ip])} {  ===&gt; discard 
&nbsp;  
&nbsp; So does your logic means ["([string tolower [HTTP::uri]] contains "/maintenance/cms.aspx") or ([string tolower [HTTP::uri]] contains "/maintenancewcf/namematchingservice.svc")] and ([string tolower [HTTP::uri]] contains "/maintenancewcf/namematchingservice.svc") === discard? 
&nbsp;  
&nbsp;  
&nbsp; Hope to hear from you again. 
&nbsp;  &nbsp;

iamczar_12961 · Answer

Hi Sydneysider!  
&nbsp;  
&nbsp; Can you try nested if as shown from this iRule? 
&nbsp;  
&nbsp; I have't tested it yet though. 
&nbsp;  
&nbsp;  
&nbsp;  when HTTP_REQUEST {  
&nbsp; set uri1 /maintenance/cms.aspx 
&nbsp; set uri2 /maintenancewcf/namematchingservice.svc  
&nbsp; if { not [matchclass [IP::client_addr] equals $::betlive_allowed_ip]} {  
&nbsp; if { ([string tolower [HTTP::uri]] contains $uri1) or ([string tolower [HTTP::uri]] contains $uri2)} { 
&nbsp; log local0. "Connection is from [IP::client_addr] and URI is [HTTP::uri] and X-Forward-For is [HTTP::header X-Forwarded-For] - this will be discarded" 
&nbsp; discard 
&nbsp; } 
&nbsp; } else { 
&nbsp; log local0. "Connection has been established from [HTTP::uri] and [IP::client_addr] - accepted" 
&nbsp; } 
&nbsp; } 
&nbsp;  
&nbsp;  
&nbsp;  
&nbsp;  
&nbsp; Hope that helps!

Forum Discussion

XForwarder

2 Replies

AppWorld Berlin iRules Contest!

F5 AppWorld 2026 Las Vegas - iRules Contest Winners!

Recent Discussions

Changes to DO and AS3 GitHub - no longer monitored

SSL Forward Proxy, iRules and Client Hello

monitor/healthcheck issue with envoy gateway

Recommendation for Adv. Lab

How to Verify config before loading to F5

Related Content

F5 SSL Pass-through with Xforward.

Xforwarded Property

Redirection and xforwarded-for

xforward-for doesnt work

XForwarded with https?

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS