Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

IP Restrictions on Certain Sites With a shared Virtual Server

Logos_Sydney
Nimbostratus
Nimbostratus

‎18-Nov-2020 22:31

Hi guys,

 

we have couple of websites that are sharing a same F5 virtual server.

 

e.g.

111.abc.com

222.abc.com

333.abc.com

 

In the meantime, I’d like to create an iRule for restricting access to 111.abc.com & 222.abc.com with a list of IP subnets only.

 

In other words, I don’t want to setup any IP restriction on 333.abc.com.

 

Please review my iRule below and advise accordingly.

Many thanks in advance.

 

when HTTP_REQUEST {

if { not [class match [HTTP::uri] starts_with URL_List] }

return

}

}

 

when CLIENT_ACCEPTED {

if { [class match [IP::client_addr] equals Allowed_IP_List] and [class match [HTTP::uri] starts_with URL_List]

return

} else {

drop

}

}

Labels:
0 Kudos
1 REPLY 1

crodriguez
Legacy Employee
Legacy Employee

‎20-Nov-2020 16:25

Couple of opportunities here, especially since HTTP::uri is not yet available at the CLIENT_ACCEPTED event. First, I think what you are wanting to check is the host name, as specified in the HTTP Host header, not the URI. In iRules, HTTP::uri is basically everything that follows the hostname in the URL, from the "/" on, including path, object name, and query string. For example, if the complete URL is 111.abc.com/test/css/style.css, then {HTTP::host] returns "111.abc.com" and [HTTP::uri] returns "/test/css/style.css"

 

If you only need to test three or fewer URLs, your best bet is to simply check for those URLs in the iRule rather than use a datagroup. It's faster. For example:

when HTTP_REQUEST { if { [HTTP::host] equals "111.abc.com" || [HTTP::host] equals "222.abc.com" } { if { ![class match [IP::client_addr] equal Allow_IP_List] } { drop } } }

If you need to check up to about 15 URLs, change the IF structure to a SWITCH statement instead.

 

Use a datagroup if you have more than about 10-15 URLs to check, in which case:

when HTTP_REQUEST { if { [class match [HTTP::host] equals Hostname_List] } { if { ![class match [IP::client_addr] equals Allow_IP_List] } { drop } } }

Hostname_List should only contain the hostnames you want to limit traffic from based on client IP address.

0 Kudos
Copyright © 2023 Khoros, LLC