For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Sydneysider_895's avatar
Sydneysider_895
Icon for Nimbostratus rankNimbostratus
Aug 02, 2011

XForwarder

I have a webpage that needs to be accessed by a certain subnets in the internal network, however when the users access the URL it goes via proxy and i have to permit the proxy on the Datagroup, can some please help with the below irule when HTTP_REQUEST { betlivecms.aspx must only be accessible from internal network if { ([string tolower [HTTP::uri]] contains "/maintenance/cms.aspx") and not ([matchclass [IP::client_addr] equals $::betlive_allowed_ip])} { log locally and discard log local0. "Source IP is [IP::client_addr] and X-Forward-For is [_HTTP::header "X-Forwarded-For"]" log local0. "Untrusted IP ([IP::client_addr]) attempting to access secure path ([HTTP::uri])" discard NameMatchingService.svc must only be accessible from internal network } elseif {([string tolower [HTTP::uri]] contains "/maintenancewcf/namematchingservice.svc") and not ([matchclass [IP::client_addr] equals $::betlive_allowed_ip])} { log locally and discard log local0. "Untrusted IP ([IP::client_addr]) attempting to access secure path ([HTTP::uri])" discard } }
application delivery
dev
devops
iRules

2 Replies

  • iamczar_12961's avatar
    iamczar_12961
    Icon for Cirrus rankCirrus
    Aug 02, 2011
    Hi Sydneysider!

     

     

    I noticed that you are discarding everything?

     

     

    if { ([string tolower [HTTP::uri]] contains "/maintenance/cms.aspx") and not ([matchclass [IP::client_addr] equals $::betlive_allowed_ip])} { ====> discard

     

    elseif ([string tolower [HTTP::uri]] contains "/maintenancewcf/namematchingservice.svc") and not ([matchclass [IP::client_addr] equals $::betlive_allowed_ip])} { ===> discard

     

     

    So does your logic means ["([string tolower [HTTP::uri]] contains "/maintenance/cms.aspx") or ([string tolower [HTTP::uri]] contains "/maintenancewcf/namematchingservice.svc")] and ([string tolower [HTTP::uri]] contains "/maintenancewcf/namematchingservice.svc") === discard?

     

     

     

    Hope to hear from you again.

     

     

  • iamczar_12961's avatar
    iamczar_12961
    Icon for Cirrus rankCirrus
    Aug 02, 2011
    Hi Sydneysider!

     

     

    Can you try nested if as shown from this iRule?

     

     

    I have't tested it yet though.

     

     

     

    when HTTP_REQUEST {

     

    set uri1 /maintenance/cms.aspx

     

    set uri2 /maintenancewcf/namematchingservice.svc

     

    if { not [matchclass [IP::client_addr] equals $::betlive_allowed_ip]} {

     

    if { ([string tolower [HTTP::uri]] contains $uri1) or ([string tolower [HTTP::uri]] contains $uri2)} {

     

    log local0. "Connection is from [IP::client_addr] and URI is [HTTP::uri] and X-Forward-For is [HTTP::header X-Forwarded-For] - this will be discarded"

     

    discard

     

    }

     

    } else {

     

    log local0. "Connection has been established from [HTTP::uri] and [IP::client_addr] - accepted"

     

    }

     

    }

     

     

     

     

     

    Hope that helps!