Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Allow a specific resource's access based on source IP addresse's

SXG12_131783
Nimbostratus
Nimbostratus

‎06-Dec-2018 17:22

Hello, I have a need to create an iRule for a url with 2 endpoints.

 

endpoint1 = myCertCN/path1

 

endpoint2 = myCertCN/path2

 

I need to :

 

  • expose endpoint1 to all IP's,
  • expose endpoint2 to 3 IP sets, (10.10.10.10, 11.11.11.56/29, 12.12.12.208/29)

Is below syntax correct?

 

when HTTP_REQUEST {

 

set httpUri [HTTP::uri]

 

set clientIp [class match -value [IP::client_addr] equals allowed_ip_addresses]

 

if { $httpUri starts_with "/path2" && $clientIp not equals "10.10.10.10" } {

 

drop

 

} else if { $httpUri starts_with "/path2" && $clientIp not equals "11.11.11.56/29" } {

 

drop

 

} else if { $httpUri starts_with "/path2" && $clientIp not equals "12.12.12.208/29" } {

 

drop

 

} else {

 

pool

 

}

 

}

 

In above example pool points to ip:port of myCertCN.

 

Labels:
0 Kudos
1 REPLY 1

Andy_McGrath
Cumulonimbus
Cumulonimbus

‎06-Dec-2018 21:21 - last edited on ‎01-Jun-2023 16:31 by Fog

Setup a data group with type IP Addresses and add the allowed IP address subnets to it, name it ‘allowed_ip_addresses’ and the following iRule should do the job.

when HTTP_REQUEST {
  set httpUri [string tolower [HTTP::uri]]
  set clientIp [getfield [IP::client_addr] “%” 1]  
  
   check uri path and cline tip is not in the allowed list
  if {($httpUri starts_with "/path2") && !([class match $clientIp allowed_ip_addresses])} {

     drop or reject to end the connection    
    drop

  }
}
0 Kudos
Copyright © 2023 Khoros, LLC