cancel
Showing results for 
Search instead for 
Did you mean: 

Block admin URLs for internet users only

iRule
Cirrus
Cirrus

Dear Community,

I need to block few admin URLs and its subdirectories from internet only. The URLs should be accessible from internal private IPs of organization.

 

Following needs to be blocked.

 

https://hostname.com/admin/*

https://hostname.com/login/*

https://hostname.com/manage/*

https://hostname.com/account/*

 

 

Please inform how to modify following iRule to accomplish above requirement.

 

https://support.f5.com/csp/article/K74012450

 

when CLIENT_ACCEPTED {

    log local0. "Client IP address is: [clientside {IP::remote_addr}]"

}

 when HTTP_REQUEST {

    log local0. "HTTP Path = [HTTP::path]"

    log local0. "HTTP Host = [HTTP::host]"

if { ([HTTP::host] eq "hostname.example.com") and ([HTTP::path] eq "/test/login") } {

    switch -glob [class match [IP::client_addr] eq private_net] {

        "1" {

            log local0. "The IP is private"

            pool HTTP_Pool

        }

        default {

            log local0. "The IP is public"

            set content "No Access"

            HTTP::respond 403 content $content

            unset content

        }

    }

}

   else {

        log local0. "Access to other URLs, granted to any IP"

        pool HTTP_Pool

   }

}

 

 

Warm Regards

1 ACCEPTED SOLUTION

Hi,

 

Create an address data group and add private IPs to the data group.

 

iRule (Change the datagroupname):

when HTTP_REQUEST { switch -glob [string tolower [HTTP::uri -normalized]] { "/admin/*" - "/login/*" - "/manage/*" - "/account/*" { if { not [class match [IP::client_addr] equals datagroupname] } { drop return } } } }

 

View solution in original post

3 REPLIES 3

Hi,

 

Create an address data group and add private IPs to the data group.

 

iRule (Change the datagroupname):

when HTTP_REQUEST { switch -glob [string tolower [HTTP::uri -normalized]] { "/admin/*" - "/login/*" - "/manage/*" - "/account/*" { if { not [class match [IP::client_addr] equals datagroupname] } { drop return } } } }

 

Thank You Enes for your response,

 

I have managed to accomplish the task by using following iRule after reviewing iRule guide at https://clouddocs.f5.com/api/irules/. But this iRule is working in case sensitive manner. If I use hostname.example.com/admin/etc or hostname.example.com/account/money this iRule works fine but if I use hostname.example.com/Admin/etc or hostname.example.com/Account/money the iRule does not work.

Please inform how I can make this iRule non-case sensitive.

 

========================

when CLIENT_ACCEPTED {

  log local0. "Client IP address is: [clientside {IP::remote_addr}]"

}

 when HTTP_REQUEST {

  log local0. "HTTP URI = [HTTP::uri]"

  log local0. "HTTP Host = [HTTP::host]"

if { ([HTTP::host] eq "hostname.example.com") and ([[HTTP::uri]] starts_with "/admin/etc* or [HTTP::uri]] starts_with "/account/money" or [HTTP::uri]] starts_with "/login/test" or [HTTP::uri]] starts_with "/manage/team") } {

  switch -glob [class match [IP::client_addr] eq private_net] {

    "1" {

      log local0. "The IP is private"

      pool My_Pool

    }

    default {

      log local0. "The IP is public"

      set content "No Access"

      HTTP::respond 403 content $content

      unset content

    }

  }

}

  else {

    log local0. "Access to other URLs, granted to any IP"

    pool My_Pool

  }

}

========================

 

Warm Regards

Hi,

 

Use [string tolower [HTTP::uri]] instead of [HTTP::uri]

 

etc* is misspelled. Replace with etc"