cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

Blocking Traffic based on Geo Location

Jaspreetgurm
Altostratus
Altostratus

I have requirement to block the traffic to a particular https path (Page) via iRule on WAF device in order to restrict the access of below url from all other geo location aspect Thailand country .

 

Can someone help on this. I have write below iRule.

 

 

when HTTP_REQUEST {

  if { [string tolower [HTTP::uri]] equals "http://abc.com/job-request/" && [whereis [IP::client_addr] country] ne "TH" } {

    drop

{

else {

#log local0. "The page is restricted"

}

}

7 REPLIES 7

SanjayP
MVP
MVP

iRule looks fine with few modifcations to uri and closing braces. Also, please check with the requestor if it should be explicit URL "/job-request/" or wildcard (i.e anything after) "/job-request*".

 

If it's a wildcard, replace "eq" with "starts_with"

 

when HTTP_REQUEST { if { ([string tolower [HTTP::uri]] eq "/job-request") and ([whereis [IP::client_addr] country] ne "TH") } { drop } else { return } }  

 

Thanks Sanjay for replying.

 

/"/job-request" is specific path which needs to be restricted. So could you please advise if eq is suffice the needs or shall this change to starts_with ?

 

yes. eq would be okay.

I am allowing traffic only TH country, so I believe the action should be allow and else should be drop like below

 

{

 allow

 } else { drop

   }

}

Since your iRule has use "ne" (not equal) operator for checking the Country, it's dropping on first condition. You can modify the operator to check just for TH country using "eq" operator to drop on else condition. Both should be fine.

when HTTP_REQUEST {

 if { ([string tolower [HTTP::uri]] eq "/job-request") and ([whereis [IP::client_addr] country] ne "TH") } {

 drop

 } else {

  return

  log local0. "[IP::remote_addr]"

 }

}

 

is this fine ?

yes. you can test it using vpn to select another Country. Also, I would disable logging unless needed for troubleshooting.