cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

Allow access to multiple URI based on IP in data group only, while allow others full access

ant77
Cirrus
Cirrus

Can any of the irule expert please help me with creating this irule based on this condition? I think i have it, but not sure.

 

Conditions:

  1. Create subnets data group allow users coming from these subnets to be able to access multiple URIs while preventing them to access anything else.
  2. All users not part of the restricted data group subnets get full access to website and all URIs.

 

Will this work if I create two data group, one for the IP subnets, and the other listing the URIs? Once done, apply this irule to the VIPs.

The key thing here is that we DO NOT want to drop all other traffic that's not in the DG1-BLOCKED-SUBNETS data-group.

What I am afraid of is the "drop" statement condition where it will also drop all other traffic regardless.

Can anyone confirm or have a better way of doing this?

 

when HTTP_REQUEST { if [class match [IP::client_addr] equals DG1-BLOCKED-SUBNETS] { if { not ([HTTP::uri] equals DG2-ALLOWED-URIs]) } { } drop }

 

ltm data-group internal DG1-BLOCKED-SUBNETS { records { 10.100.100.0/24 { } 10.200.200.0/24 { } } type ip }

 

ltm data-group internal DG2-ALLOWED-URIs { records { /APP1 { } /APP2/HOME { } /APP3/HOME2 { } } type string }

 

10 REPLIES 10

Simon_Blakely
F5 Employee
F5 Employee

You need to move the drop into the if

 

when HTTP_REQUEST { if [class match [IP::client_addr] equals DG1-BLOCKED-SUBNETS] { if { not ([HTTP::uri] equals DG2-ALLOWED-URIs]) } { drop } } }

 

Thank you S Blakely. I will try this and let you know..

ant77
Cirrus
Cirrus

I got the error below. Do you know what the issue is or what is missing?

 

01070151:3: Rule [/Common/iRULE-BLOCKED] error: /Common/iRULE-BLOCKED-:3: error: [parse error: PARSE syntax 139 {syntax error in expression " not ([HTTP::uri] equals DG2-ALLOWED-URIs]) ": variable references require preceding $}][{ not ([HTTP::uri] equals DG2-ALLOWED-URIs]) }]

when HTTP_REQUEST { if { [class match [IP::client_addr] equals DG1-BLOCKED-SUBNETS]} { if { not ([class match [HTTP::uri] equals DG2-ALLOWED-URIs]) } { drop } } }

You were missing a [ class match

Thanks! Appreciate your help...

 

Quick question, since the statement "drop" is there based on the condition in the data group needing to be met, will this drop traffic for all other traffic (regular traffic) outside of that condition (subnets and URIs) in the data group.? I just don't want this to drop our regular traffic...

 

The drop will only impact traffic from the DG1-BLOCKED-SUBNETS that does not match the DG2-ALLOWED-URIs.

 

All other traffic that is not in the DG1-BLOCKED-SUBNETS will pass for all URIs.

thank you! appreciate all your help.

No problem - if an answer is useful, please remember to flag it.

 

one question here is for the URI in the data group, it seems that it stops when it matches, example -- /APP1/ only. If i go to /APP1/ABC/123, it fails. Is there a way to match and allow anything beyond like a wild card? I tried this and it doesn't seem to work --> /APP1/*

The wildcard asterisk does not work for some reason...

use class match starts_with

 

if { not ([class match [HTTP::uri] starts_with DG2-ALLOWED-URIs]) }

class - F5 Cloud Docs

 

Note: class match operates on a longest (or most specific) match first principle.