I have AKAMAI as a CDN provider in front of my F5 published services. I have configured a data-group of type "Address" and before AKAMAI, I checked if the client IP could be found in this data-group and allowed access towards a specific path:
"/uri_path*" {
pool server-pool
if { !([class match [IP::client_addr] equals dg_allowed_ips])} {
HTTP::respond 403 content ""
log local0. "tried to connect to ret from [IP::client_addr]"
}
}
Now after introducing AKAMAI, since the client IP is replaced by that of the connecting AKAMAI server, I needed to get the actual client IP using a custom header:
if { ([HTTP::header exists "True-Client-IP"]) and ([HTTP::header "True-Client-IP"] != "") } {
set True_Client_IP [HTTP::header "True-Client-IP"]
} else {
set True_Client_IP [IP::client_addr]
}
If I change the evaluation to use this new variable, it basically never matches since the variable is of type "string" whereas the data group contains IPs:
"/uri_path*" {
pool server-pool
if { !([class match $True_Client_IP equals dg_allowed_ips])} {
HTTP::respond 403 content ""
log local0. "tried to connect to ret from $True_Client_IP"
}
}
So the question becomes: can I evaluate a string over a an IP data-group? Can I somehow change the variable type to be IP?
