Forum Discussion

Lloyd_Carter's avatar
Lloyd_Carter
Icon for Nimbostratus rankNimbostratus
May 12, 2020
Solved

iRule for IP Whitelist on specific URL

I have a service that I am migrating to F5 BIG IP. It previously used IIS IP Address Restriction to control access to a particular URL. Can anyone recommend an iRule that will allow me to do the sa...
application delivery
iRules
  • Kevin_Davies's avatar
    Kevin_Davies
    May 12, 2020

    Sure an iRule for that isn't hard. The question is how will you get the whitelist on the BIGIP. If you use data groups you can update a whitelist directly in the GUI, but is that an interface you want to use for this. You can also use external data groups which are a file on the BIG-IP. This can be pushed/pulled from other sources and then loaded on the BIG-IP. If you have privatewhitelist address data group defined on the BIG-IP this would do the job.

    when HTTP_REQUEST {
  if {[HTTP::uri] eq "/private"} {
    if {![class match [IP::client_address] equals privatelwhitelist]} {
      HTTP::respond 403 content "<html><body>Access not permitted</body></html>" Connection Close
      TCP::close
    }
  }
}
Kevin_Davies's avatar
Kevin_Davies
Icon for MVP rankMVP

Sure an iRule for that isn't hard. The question is how will you get the whitelist on the BIGIP. If you use data groups you can update a whitelist directly in the GUI, but is that an interface you want to use for this. You can also use external data groups which are a file on the BIG-IP. This can be pushed/pulled from other sources and then loaded on the BIG-IP. If you have privatewhitelist address data group defined on the BIG-IP this would do the job.

when HTTP_REQUEST {
  if {[HTTP::uri] eq "/private"} {
    if {![class match [IP::client_address] equals privatelwhitelist]} {
      HTTP::respond 403 content "<html><body>Access not permitted</body></html>" Connection Close
      TCP::close
    }
  }
}
Lloyd_Carter's avatar
Lloyd_Carter
Icon for Nimbostratus rankNimbostratus
May 12, 2020

Hi Kevin,

 

Thanks for this. An internal data group for this would be fine as the list is going to be fairly static. I have defined my Data Group but I'm getting an error on the iRule as follows.

 

01070151:3: [undefined procedure: IP::client_address][IP::client_address]

 

Any ideas what I did wrong here? It looks like my data group has not been recognised by the irule