Forum Discussion

Diago1111's avatar
Diago1111
Icon for Altocumulus rankAltocumulus
Oct 14, 2021

F5 irule set restrictaccess 0 & 1 command.

Hi All,

 

I'm newbie to F5 irule and kind of stuck in understanding the syntax, especially not able to figure out what does "set restrictaccess 1" and "set restrictaccess 0" have effect here.

 

ltm rule Drop_Xyz_Requests {

partition Xyz

priority 10

 

when CLIENT_ACCEPTED {

set restrictaccess 1

if { [class match [IP::client_addr] equals corp_Vlan10-Vlan80] ||

} {

set restrictaccess 0

}

}

when HTTP_REQUEST {

if {$restrictaccess} {

if { ! (([string tolower [HTTP::path]] starts_with ""/xxx-xxx-xxxx/api/"") ||

} {

HTTP::respond 403 content {<html>403 Forbidden - Access Denied</html>}

}

}

}

}"

2 Replies

  • In your example, the variable named restrictaccess is being used as a Boolean switch to determine whether a client should be restricted from accessing what looks like an application API. The restrictaccess switch is set to true (1) by default, meaning the client should not have access to the API. This happens during the CLIENT_ACCEPTED event, which occurs upon successful completion of the three-way handshake between the client and the virtual server on the BIG-IP system. Then the client's IP address is compared to the values in a datagroup. If a match is found, restrictaccess is set to false (0), meaning the client is allowed to access the API.

     

    The restrictaccess switch is then checked during the HTTP_REQUEST event, which occurs every time the client sends an HTTP request across the existing connection. If restrictaccess is true (1) and if the request is for the API, the client is blocked from access via the custom HTTP response content. If restrictaccess is false (0), the client is allowed access to the API (or whatever element it was they requested).

    • Diago1111's avatar
      Diago1111
      Icon for Altocumulus rankAltocumulus

      Thanks a lot for your response..Much helpful to understand​ now..