ant77
Apr 02, 2020Cirrostratus
Allow access to multiple URI based on IP in data group only, while allow others full access
Can any of the irule expert please help me with creating this irule based on this condition? I think i have it, but not sure.
Conditions:
- Create subnets data group allow users coming from these subnets to be able to access multiple URIs while preventing them to access anything else.
- All users not part of the restricted data group subnets get full access to website and all URIs.
Will this work if I create two data group, one for the IP subnets, and the other listing the URIs? Once done, apply this irule to the VIPs.
The key thing here is that we DO NOT want to drop all other traffic that's not in the DG1-BLOCKED-SUBNETS data-group.
What I am afraid of is the "drop" statement condition where it will also drop all other traffic regardless.
Can anyone confirm or have a better way of doing this?
when HTTP_REQUEST {
if [class match [IP::client_addr] equals DG1-BLOCKED-SUBNETS] {
if { not ([HTTP::uri] equals DG2-ALLOWED-URIs]) } {
}
drop
}
ltm data-group internal DG1-BLOCKED-SUBNETS {
records {
10.100.100.0/24 { }
10.200.200.0/24 { }
}
type ip
}
ltm data-group internal DG2-ALLOWED-URIs {
records {
/APP1 { }
/APP2/HOME { }
/APP3/HOME2 { }
}
type string
}