Forum Discussion
nitass
Jan 14, 2013Employee
But how can I incorporate that with my previous HTTP iRUle? Basically, after doing a content switching, it will check if the client ip is allowed to access the pool before forewarding it. Else, it will be rejected. CLIENT_ACCEPTED event is triggered before HTTP_REQUEST event. so, we can reject client ip address in CLIENT_ACCEPTED and select pool based on url in HTTP_REQUEST.
iRules Insight - HTTP Event Order by Jason
https://devcentral.f5.com/blogs/us/irules-insight-http-event-order
e.g.
root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
destination 172.28.20.14:443
ip-protocol tcp
mask 255.255.255.255
profiles {
clientssl {
context clientside
}
http { }
tcp { }
}
rules {
myrule
}
source 0.0.0.0/0
source-address-translation {
type automap
}
vlans-disabled
}
root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm rule myrule
ltm rule myrule {
when CLIENT_ACCEPTED {
log local0. "-"
if { not [class match -- [IP::client_addr] equals allow_ip_class] } {
log local0. "[IP::client_addr]:[TCP::client_port] is rejected"
reject
} else {
log local0. "[IP::client_addr]:[TCP::client_port] is accepted"
}
}
when HTTP_REQUEST {
log local0. "-"
case insensitive
set uri [string tolower [HTTP::uri]]
switch -glob $uri {
"*opis*" { pool OPIS_POOL }
"*reseller*" { pool RESELLER_POOL }
default {
pool RESELLER_POOL
}
}
}
when SERVER_CONNECTED {
log local0. "-"
log local0. "client [IP::client_addr]:[TCP::client_port] | uri $uri | pool [LB::server pool] | pool member [LB::server addr]:[LB::server port]"
}
}
root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm data-group internal allow_ip_class
ltm data-group internal allow_ip_class {
records {
192.168.206.33/32 { }
}
type ip
}
root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm pool OPIS_POOL
ltm pool OPIS_POOL {
members {
200.200.200.101:80 {
address 200.200.200.101
}
}
}
root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm pool RESELLER_POOL
ltm pool RESELLER_POOL {
members {
200.200.200.111:80 {
address 200.200.200.111
}
}
}
[root@ve11a:Active:Changes Pending] config tail -f /var/log/ltm
Jan 14 14:58:59 ve11a info tmm1[11170]: Rule /Common/myrule : -
Jan 14 14:58:59 ve11a info tmm1[11170]: Rule /Common/myrule : 172.28.19.251:49004 is rejected
Jan 14 14:59:25 ve11a info tmm1[11170]: Rule /Common/myrule : -
Jan 14 14:59:25 ve11a info tmm1[11170]: Rule /Common/myrule : 192.168.206.33:55244 is accepted
Jan 14 14:59:25 ve11a info tmm1[11170]: Rule /Common/myrule : -
Jan 14 14:59:25 ve11a info tmm1[11170]: Rule /Common/myrule : -
Jan 14 14:59:25 ve11a info tmm1[11170]: Rule /Common/myrule : client 192.168.206.33:55244 | uri /opis/something | pool /Common/OPIS_POOL | pool member 200.200.200.101:80
Jan 14 14:59:53 ve11a info tmm1[11170]: Rule /Common/myrule : -
Jan 14 14:59:53 ve11a info tmm1[11170]: Rule /Common/myrule : 192.168.206.33:55246 is accepted
Jan 14 14:59:53 ve11a info tmm1[11170]: Rule /Common/myrule : -
Jan 14 14:59:53 ve11a info tmm1[11170]: Rule /Common/myrule : -
Jan 14 14:59:53 ve11a info tmm1[11170]: Rule /Common/myrule : client 192.168.206.33:55246 | uri /reseller/something | pool /Common/RESELLER_POOL | pool member 200.200.200.111:80
Jan 14 15:00:14 ve11a info tmm[11170]: Rule /Common/myrule : -
Jan 14 15:00:14 ve11a info tmm[11170]: Rule /Common/myrule : 192.168.206.33:55247 is accepted
Jan 14 15:00:14 ve11a info tmm[11170]: Rule /Common/myrule : -
Jan 14 15:00:14 ve11a info tmm[11170]: Rule /Common/myrule : -
Jan 14 15:00:14 ve11a info tmm[11170]: Rule /Common/myrule : client 192.168.206.33:55247 | uri /somethingelse | pool /Common/RESELLER_POOL | pool member 200.200.200.111:80