cancel
Showing results for 
Search instead for 
Did you mean: 

Irule for restricting access

nikhilmbass
Altostratus
Altostratus

Hello Members,

I have an application hosted on the F5, which also has an I-rule redirect policy attached to it.
https://domain.com redirects to https://domain.com/admin/login.jsp
This is accesssible over both public and pvt.

We have a new requirement, where we need to restrict access to just the below application URL path to only private networks.
https://domain.com/admin/tools/index.html
Can this be acheived and will it cause any compatibility issues with the existing above IRule redirect ??

1 ACCEPTED SOLUTION

CA_Valli
Cumulonimbus
Cumulonimbus

Hello, you should be able to do this either with iRule or with LTM policy. 
F5 recommends using options available in standard configurations / GUI / traffic profiles over iRule syntax where possible, as they typically perform faster. 

In your case however using data group lists might be easier to mantain. One IP type data group to list restricted networks, and one string type data group to list restricted URI's. 

if { class match [HTTP::path] ends_with restricted_uri_class && class match [IP::client_Addr] equals restricted_ip_class } { reject }

View solution in original post

6 REPLIES 6

neeeewbie
MVP
MVP

 

you can use below irule if you using redirection irule on same virtual server

when HTTP_REQUEST {

 if {[HTTP::host] equals "domain.com"}{

if {[HTTP::uri] starts_with "/admin/tools"}{

HTTP::redirect https://[getfield [HTTP::host] ":" 1][HTTP::uri]

}
else if {[HTTP::uri] starts_with "/admin/login.jsp"}{

HTTP::redirect https://[getfield [HTTP::host] ":" 1][HTTP::uri]

}

}
else
default pool

}

 

nikhilmbass
Altostratus
Altostratus

Thanks for the suggestion neewbie. Will check on it.

What we are looking for is that https://domain.com/admin/tools/index.html should only be accessible via private network, so thinking of using a Data Group List.
/tools/index.html is the extra add-on URI to be restricted.

However this main URL https://domain.com/admin should be accessible as is over both public and private.

I guess you need add virtual server better than add the irule 

F5 can make same dst ip virtual server if source ip address difference between exist virtual server 

 

below url is explain order of precedence for virtual server matching 

https://support.f5.com/csp/article/K14800

CA_Valli
Cumulonimbus
Cumulonimbus

Hello, you should be able to do this either with iRule or with LTM policy. 
F5 recommends using options available in standard configurations / GUI / traffic profiles over iRule syntax where possible, as they typically perform faster. 

In your case however using data group lists might be easier to mantain. One IP type data group to list restricted networks, and one string type data group to list restricted URI's. 

if { class match [HTTP::path] ends_with restricted_uri_class && class match [IP::client_Addr] equals restricted_ip_class } { reject }

Thanks CA_Valli for your suggestion. The solution worked perfectly fine.
Much appreciated

Ruby69
Nimbostratus
Nimbostratus

@nikhilmbass wrote:

Hello Members,

I have an application hosted on the F5, which also has an I-rule redirect policy attached to it.
https://domain.com redirects to https://domain.com/admin/login.jsp
This is accesssible over both public and pvt.

We have a new requirement, where we need to restrict access to just the below application URL path to only private networks.
https://domain.com/admin/tools/index.html
Can this be acheived and will it cause any compatibility issues with the existing above IRule redirect ??


In your case however using data group lists might be easier to mantain. One IP type data group to list restricted networks, and one string type data group to list restricted URI's.                                  MyMercy