Forum Discussion

SXG12_131783's avatar
SXG12_131783
Icon for Nimbostratus rankNimbostratus
Dec 07, 2018

Allow a specific resource's access based on source IP addresse's

Hello, I have a need to create an iRule for a url with 2 endpoints.

 

endpoint1 = myCertCN/path1

 

endpoint2 = myCertCN/path2

 

I need to :

 

  • expose endpoint1 to all IP's,
  • expose endpoint2 to 3 IP sets, (10.10.10.10, 11.11.11.56/29, 12.12.12.208/29)

Is below syntax correct?

 

when HTTP_REQUEST {

 

set httpUri [HTTP::uri]

 

set clientIp [class match -value [IP::client_addr] equals allowed_ip_addresses]

 

if { $httpUri starts_with "/path2" && $clientIp not equals "10.10.10.10" } {

 

drop

 

} else if { $httpUri starts_with "/path2" && $clientIp not equals "11.11.11.56/29" } {

 

drop

 

} else if { $httpUri starts_with "/path2" && $clientIp not equals "12.12.12.208/29" } {

 

drop

 

} else {

 

pool

 

}

 

}

 

In above example pool points to ip:port of myCertCN.

 

1 Reply

  • Setup a data group with type IP Addresses and add the allowed IP address subnets to it, name it ‘allowed_ip_addresses’ and the following iRule should do the job.

    when HTTP_REQUEST {
      set httpUri [string tolower [HTTP::uri]]
      set clientIp [getfield [IP::client_addr] “%” 1]  
      
       check uri path and cline tip is not in the allowed list
      if {($httpUri starts_with "/path2") && !([class match $clientIp allowed_ip_addresses])} {
    
         drop or reject to end the connection    
        drop
    
      }
    }