Forum Discussion

ant77's avatar
ant77
Icon for Cirrostratus rankCirrostratus
Apr 02, 2020

Allow access to multiple URI based on IP in data group only, while allow others full access

Can any of the irule expert please help me with creating this irule based on this condition? I think i have it, but not sure.

Conditions:

  1. Create subnets data group allow users coming from these subnets to be able to access multiple URIs while preventing them to access anything else.
  2. All users not part of the restricted data group subnets get full access to website and all URIs.

Will this work if I create two data group, one for the IP subnets, and the other listing the URIs? Once done, apply this irule to the VIPs.

The key thing here is that we DO NOT want to drop all other traffic that's not in the DG1-BLOCKED-SUBNETS data-group.

What I am afraid of is the "drop" statement condition where it will also drop all other traffic regardless.

Can anyone confirm or have a better way of doing this?

when HTTP_REQUEST {
if [class match [IP::client_addr] equals DG1-BLOCKED-SUBNETS] {
    if { not ([HTTP::uri] equals DG2-ALLOWED-URIs]) } {
    }
    drop
}

ltm data-group internal DG1-BLOCKED-SUBNETS {
  records {
   10.100.100.0/24 { }
   10.200.200.0/24 { }
  }
  type ip
}

ltm data-group internal DG2-ALLOWED-URIs {
  records {
   /APP1 { }
  /APP2/HOME { }
  /APP3/HOME2 { }
 }
 type string
}

10 Replies

  • You need to move the drop into the if

    when HTTP_REQUEST {
      if [class match [IP::client_addr] equals DG1-BLOCKED-SUBNETS] {
        if { not ([HTTP::uri] equals DG2-ALLOWED-URIs]) } {
           drop
        } 
      }
    }
    • ant77's avatar
      ant77
      Icon for Cirrostratus rankCirrostratus

      Thank you S Blakely. I will try this and let you know..

  • ant77's avatar
    ant77
    Icon for Cirrostratus rankCirrostratus

    I got the error below. Do you know what the issue is or what is missing?

     

    01070151:3: Rule [/Common/iRULE-BLOCKED] error: /Common/iRULE-BLOCKED-:3: error: [parse error: PARSE syntax 139 {syntax error in expression " not ([HTTP::uri] equals DG2-ALLOWED-URIs]) ": variable references require preceding $}][{ not ([HTTP::uri] equals DG2-ALLOWED-URIs]) }]

    • Simon_Blakely's avatar
      Simon_Blakely
      Icon for Employee rankEmployee
      when HTTP_REQUEST {
        if { [class match [IP::client_addr] equals DG1-BLOCKED-SUBNETS]} {
          if { not ([class match [HTTP::uri] equals DG2-ALLOWED-URIs]) } {
             drop
          } 
        }
      }

      You were missing a [ class match

      • ant77's avatar
        ant77
        Icon for Cirrostratus rankCirrostratus

        Thanks! Appreciate your help...

         

        Quick question, since the statement "drop" is there based on the condition in the data group needing to be met, will this drop traffic for all other traffic (regular traffic) outside of that condition (subnets and URIs) in the data group.? I just don't want this to drop our regular traffic...