F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Logos_Sydney's avatar
Logos_Sydney
Icon for Nimbostratus rankNimbostratus
Nov 18, 2020

IP Restrictions on Certain Sites With a shared Virtual Server

Hi guys,   we have couple of websites that are sharing a same F5 virtual server.   e.g. 111.abc.com 222.abc.com 333.abc.com   In the meantime, I’d like to create an iRule for restricti...
BIG-IP
iRules
security
crodriguez's avatar
crodriguez
Ret. Employee
Nov 20, 2020

Couple of opportunities here, especially since HTTP::uri is not yet available at the CLIENT_ACCEPTED event. First, I think what you are wanting to check is the host name, as specified in the HTTP Host header, not the URI. In iRules, HTTP::uri is basically everything that follows the hostname in the URL, from the "/" on, including path, object name, and query string. For example, if the complete URL is 111.abc.com/test/css/style.css, then {HTTP::host] returns "111.abc.com" and [HTTP::uri] returns "/test/css/style.css"

If you only need to test three or fewer URLs, your best bet is to simply check for those URLs in the iRule rather than use a datagroup. It's faster. For example:

when HTTP_REQUEST {
    if { [HTTP::host] equals "111.abc.com" || [HTTP::host] equals "222.abc.com" } {
        if { ![class match [IP::client_addr] equal Allow_IP_List] } {
            drop
        }
    }
}

If you need to check up to about 15 URLs, change the IF structure to a SWITCH statement instead.

Use a datagroup if you have more than about 10-15 URLs to check, in which case:

when HTTP_REQUEST {
   if { [class match [HTTP::host] equals Hostname_List] } {
       if { ![class match [IP::client_addr] equals Allow_IP_List] } {
            drop
        }
    }
}

Hostname_List should only contain the hostnames you want to limit traffic from based on client IP address.