Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

iRule to allow traffic based on certain URI and remote IP, allow all if URI doesn't match

Sabir_Alvi
Altocumulus
Altocumulus

‎25-Nov-2021 20:22 - last edited on ‎21-Nov-2022 14:31 by Fog

I'm looking for an iRule that will be applied to a multitenant environment, where each client will have their own set of Authorised IPs.

Our application will have a "common" URI in web requests for all tenants but the hostname differs. So there will be a pool mapping at first based on the host.

  1. We need to allow web requests with a "certain URI" for authorized IPs.
  2. Deny web requests with the above URI if remote IP doesn't match authorized IPs.
  3. Allow all web requests that do not match the above URI, it needs to be publicly available

 

3a. If the allowed URI is "/store/coffee", then starbucks.net/store/coffee/mug.html should work only for whitelisted IPs. Unauthorized IPs for the same web request should get a 403 error.

 

3b. If the web request is starbucks.net/AboutUs.html or starbucks.net/contactus.aspx, then it should be publicly available. No restrictions.

 

I have below iRule which is partially working. However my point 3(b) doesn't work, I get an IE error when the URI is not matching the allowed URI. Please advise. 

 

when HTTP_REQUEST {
  set pool [class match -value -- [HTTP::host][HTTP::uri] starts_with datagroup_pools]
  if { ([class match [string tolower [HTTP::uri]] contains datagroup_allowed_uri]) } {
	set whitelist [class match -value -- [HTTP::host] equals datagroup_whitelistgrp]
	set ipaddr [IP::remote_addr]
	set blacklisted "false"
		if {$whitelist ne ""} {
			if {!([class match $ipaddr equals $whitelist])} {
			if {!([matchclass $ipaddr equals office_ips])} {
			set blacklisted "true"
			HTTP::respond 403 content "<html code for custom error page>"
			}
		}
		}
	}
		if {$blacklisted ne "true"} {
			if {$pool ne ""} {
			if {[active_members $pool] == 0} {
          HTTP::respond 500 content "<html code for custom error page>"
        } else {
          pool $pool
        }
      } else {
        HTTP::respond 404 content "<html code for custom error page>"
      }
    }
}

 

Labels:
0 Kudos
4 REPLIES 4

boneyard
MVP
MVP

‎27-Nov-2021 03:07

not sure which of your points is 3(b), there don't appear numbers for me. you might want to rework your introduction. or explain on which like it fails now.

 

for the rest i at least notice you don't setup office_ips in this section, might be done earlier of course.

 

 

0 Kudos

Sabir_Alvi
Altocumulus
Altocumulus
In response to boneyard

‎29-Nov-2021 09:20

I have corrected the question format, please check now

0 Kudos

SanjayP
MVP
MVP

‎30-Nov-2021 03:49 - last edited on ‎21-Nov-2022 15:25 by Community Manager

It's not clear from the requirement if other host (other than starbucks.net) need any IP restrictions for certain uri, but considering they don't need it, we can simplify iRule as below. It also has mapping from host name to pool in the same iRule.

 

 

when HTTP_REQUEST {
    switch -glob [string tolower [HTTP::host]] {
	  "www.abc.com"
	   {
           pool www.abc.com_443
           }  
	   "starbucks.net"
	   {
	     pool starbucks.net_443
	   } default {
          reject
      }
    }
	switch -glob [string tolower [HTTP::uri]] {
 
    "/store/coffee/mug.html"	
	 {
	    if { [string tolower [HTTP::host]] eq "starbucks.net" and ![class match [IP::client_addr] equals datagroup_whitelist]} {
	     HTTP::respond 403 content "<html code for custom error page>"
	    } else {
	     return
	    }
	 } default {
          return
      }
    }
 }

 

 

0 Kudos

SanjayP
MVP
MVP

‎02-Dec-2021 00:47

Glad it's working. you can mark this question as complete.

0 Kudos
Copyright © 2023 Khoros, LLC