Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Irule for restricting access

Go to solution
nikhilmbass
Altostratus
Altostratus

‎27-Feb-2022 21:04

Hello Members,

I have an application hosted on the F5, which also has an I-rule redirect policy attached to it.
https://domain.com redirects to https://domain.com/admin/login.jsp
This is accesssible over both public and pvt.

We have a new requirement, where we need to restrict access to just the below application URL path to only private networks.
https://domain.com/admin/tools/index.html
Can this be acheived and will it cause any compatibility issues with the existing above IRule redirect ??

Labels:
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
CA_Valli
MVP
MVP

‎28-Feb-2022 00:38

Hello, you should be able to do this either with iRule or with LTM policy. 
F5 recommends using options available in standard configurations / GUI / traffic profiles over iRule syntax where possible, as they typically perform faster. 

In your case however using data group lists might be easier to mantain. One IP type data group to list restricted networks, and one string type data group to list restricted URI's. 

if { class match [HTTP::path] ends_with restricted_uri_class && class match [IP::client_Addr] equals restricted_ip_class } { reject }

View solution in original post

6 REPLIES 6

Go to solution
neeeewbie
MVP
MVP

‎27-Feb-2022 23:00

 

you can use below irule if you using redirection irule on same virtual server

when HTTP_REQUEST {

 if {[HTTP::host] equals "domain.com"}{

if {[HTTP::uri] starts_with "/admin/tools"}{

HTTP::redirect https://[getfield [HTTP::host] ":" 1][HTTP::uri]

}
else if {[HTTP::uri] starts_with "/admin/login.jsp"}{

HTTP::redirect https://[getfield [HTTP::host] ":" 1][HTTP::uri]

}

}
else
default pool

}

 

0 Kudos

Go to solution
nikhilmbass
Altostratus
Altostratus

‎28-Feb-2022 00:14

Thanks for the suggestion neewbie. Will check on it.

What we are looking for is that https://domain.com/admin/tools/index.html should only be accessible via private network, so thinking of using a Data Group List.
/tools/index.html is the extra add-on URI to be restricted.

However this main URL https://domain.com/admin should be accessible as is over both public and private.

0 Kudos

Go to solution
neeeewbie
MVP
MVP
In response to nikhilmbass

‎28-Feb-2022 00:23

I guess you need add virtual server better than add the irule 

F5 can make same dst ip virtual server if source ip address difference between exist virtual server 

 

below url is explain order of precedence for virtual server matching 

https://support.f5.com/csp/article/K14800

0 Kudos

Go to solution
CA_Valli
MVP
MVP

‎28-Feb-2022 00:38

Hello, you should be able to do this either with iRule or with LTM policy. 
F5 recommends using options available in standard configurations / GUI / traffic profiles over iRule syntax where possible, as they typically perform faster. 

In your case however using data group lists might be easier to mantain. One IP type data group to list restricted networks, and one string type data group to list restricted URI's. 

if { class match [HTTP::path] ends_with restricted_uri_class && class match [IP::client_Addr] equals restricted_ip_class } { reject }

Go to solution
nikhilmbass
Altostratus
Altostratus
In response to CA_Valli

‎03-Mar-2022 04:35

Thanks CA_Valli for your suggestion. The solution worked perfectly fine.
Much appreciated

0 Kudos

Go to solution
Ruby69
Nimbostratus
Nimbostratus

‎03-Mar-2022 01:08

@nikhilmbass wrote:

Hello Members,

I have an application hosted on the F5, which also has an I-rule redirect policy attached to it.
https://domain.com redirects to https://domain.com/admin/login.jsp
This is accesssible over both public and pvt.

We have a new requirement, where we need to restrict access to just the below application URL path to only private networks.
https://domain.com/admin/tools/index.html
Can this be acheived and will it cause any compatibility issues with the existing above IRule redirect ??

In your case however using data group lists might be easier to mantain. One IP type data group to list restricted networks, and one string type data group to list restricted URI's.                                  MyMercy

0 Kudos
Copyright © 2023 Khoros, LLC