29-Dec-2021 13:07
Dear Community,
I need to block few admin URLs and its subdirectories from internet only. The URLs should be accessible from internal private IPs of organization.
Following needs to be blocked.
https://hostname.com/admin/*
https://hostname.com/login/*
https://hostname.com/manage/*
https://hostname.com/account/*
Please inform how to modify following iRule to accomplish above requirement.
https://support.f5.com/csp/article/K74012450
when CLIENT_ACCEPTED {
log local0. "Client IP address is: [clientside {IP::remote_addr}]"
}
when HTTP_REQUEST {
log local0. "HTTP Path = [HTTP::path]"
log local0. "HTTP Host = [HTTP::host]"
if { ([HTTP::host] eq "hostname.example.com") and ([HTTP::path] eq "/test/login") } {
switch -glob [class match [IP::client_addr] eq private_net] {
"1" {
log local0. "The IP is private"
pool HTTP_Pool
}
default {
log local0. "The IP is public"
set content "No Access"
HTTP::respond 403 content $content
unset content
}
}
}
else {
log local0. "Access to other URLs, granted to any IP"
pool HTTP_Pool
}
}
Warm Regards
Solved! Go to Solution.
29-Dec-2021
14:43
- last edited on
04-Jun-2023
19:14
by
JimmyPackets
Hi,
Create an address data group and add private IPs to the data group.
iRule (Change the datagroupname):
when HTTP_REQUEST {
switch -glob [string tolower [HTTP::uri -normalized]] {
"/admin/*" -
"/login/*" -
"/manage/*" -
"/account/*" {
if { not [class match [IP::client_addr] equals datagroupname] } {
drop
return
}
}
}
}
29-Dec-2021
14:43
- last edited on
04-Jun-2023
19:14
by
JimmyPackets
Hi,
Create an address data group and add private IPs to the data group.
iRule (Change the datagroupname):
when HTTP_REQUEST {
switch -glob [string tolower [HTTP::uri -normalized]] {
"/admin/*" -
"/login/*" -
"/manage/*" -
"/account/*" {
if { not [class match [IP::client_addr] equals datagroupname] } {
drop
return
}
}
}
}
29-Dec-2021 15:14
Thank You Enes for your response,
I have managed to accomplish the task by using following iRule after reviewing iRule guide at https://clouddocs.f5.com/api/irules/. But this iRule is working in case sensitive manner. If I use hostname.example.com/admin/etc or hostname.example.com/account/money this iRule works fine but if I use hostname.example.com/Admin/etc or hostname.example.com/Account/money the iRule does not work.
Please inform how I can make this iRule non-case sensitive.
========================
when CLIENT_ACCEPTED {
log local0. "Client IP address is: [clientside {IP::remote_addr}]"
}
when HTTP_REQUEST {
log local0. "HTTP URI = [HTTP::uri]"
log local0. "HTTP Host = [HTTP::host]"
if { ([HTTP::host] eq "hostname.example.com") and ([[HTTP::uri]] starts_with "/admin/etc* or [HTTP::uri]] starts_with "/account/money" or [HTTP::uri]] starts_with "/login/test" or [HTTP::uri]] starts_with "/manage/team") } {
switch -glob [class match [IP::client_addr] eq private_net] {
"1" {
log local0. "The IP is private"
pool My_Pool
}
default {
log local0. "The IP is public"
set content "No Access"
HTTP::respond 403 content $content
unset content
}
}
}
else {
log local0. "Access to other URLs, granted to any IP"
pool My_Pool
}
}
========================
Warm Regards
29-Dec-2021 15:48
Hi,
Use [string tolower [HTTP::uri]] instead of [HTTP::uri]
etc* is misspelled. Replace with etc"