Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Irule to block access of VS on specific days

Shiraz
Altostratus
Altostratus

‎28-Apr-2016 04:05 - last edited on ‎04-Jun-2023 17:41 by Fog

Dears,

I am able to restrict the access to Virtual Server by providing the static time by using the below irule. However, I also want to use this irule to restrict the access on weekends.

when RULE_INIT {
    set current_day [clock format [clock seconds] -format {%a} ]
    set static::START_OFF_TIME "05:30 AM"
    set static::END_OFF_TIME "01:00 PM"
}
when HTTP_REQUEST {
    set start_off_time [clock scan $static::START_OFF_TIME]
    set end_off_time [clock scan $static::END_OFF_TIME]
    set now [clock seconds]

if { ( [expr $now > $start_off_time] ) and ( [expr $now < $end_off_time] ) } {
        HTTP::respond 200 content "Maintenance ModeMaintenance mode..."
    }

}
Labels:
0 Kudos
11 REPLIES 11

Stanislas_Piro2
Cumulonimbus
Cumulonimbus

‎28-Apr-2016 05:33 - last edited on ‎04-Jun-2023 17:41 by Fog

Hi,

current_day may not be defined in RULE_INIT but in HTTP_REQUEST.

you can filter on day number (1-7) and not day name (Monday,...) with command :

set current_day [clock format [clock seconds] -format {%u}]

The irule become:

when RULE_INIT {
    set static::START_OFF_TIME [clock scan "05:30 AM"]
    set static::END_OFF_TIME [clock scan "01:00 PM"]
}

when HTTP_REQUEST {
    set now [clock seconds]
    set current_day [clock format [clock seconds] -format {%u}]

if { ($current_day < 6 ) && ( $now > $static::START_OFF_TIME ) && ( $now < $static::END_OFF_TIME ) } {
        HTTP::respond 200 content "Maintenance ModeMaintenance mode..."
    }

}
0 Kudos

Ibrahim_Kadiri
Nimbostratus
Nimbostratus

‎01-May-2016 02:00 - last edited on ‎04-Jun-2023 17:40 by Fog

Stan,

We need to run this irule on the specific site only, but the below irule which i created is blocking the parent site. We need to allow access to the parent without time constrain, and block access for one of the site with the below irule.

when RULE_INIT {
    set static::START_OFF_TIME [clock scan "05:30 AM"]
    set static::END_OFF_TIME [clock scan "01:00 PM"]
}

when HTTP_REQUEST {
    set now [clock seconds]
    set current_day [clock format [clock seconds] -format {%u}]

if { ([string tolower [HTTP::uri]] contains "/contractor/") && ($current_day > 1 ) && ($current_day < 4 ) && ( $now > $static::START_OFF_TIME ) && ( $now < $static::END_OFF_TIME ) } {
        pool POOL_443
    }
    elseif {([string tolower [HTTP::uri]] contains "/contractor/") && ($current_day == 7 ) && ( $now > $static::START_OFF_TIME ) && ( $now < $static::END_OFF_TIME ) } {
        pool POOL_443
    }
 elseif {
        HTTP::respond 200 content "Not Authorised! Contact AdministratorNot Authorised! Contact Administrator..."
}

}
0 Kudos

Ashu_Aggarwal
Cirrus
Cirrus
In response to Ibrahim_Kadiri

‎18-Oct-2020 14:01 - last edited on ‎24-Mar-2022 01:17 by Fog

 Hi I have a similar requirement where i have to restrict the VS access to a IP subnet for a particular window. Were you able to make it work? If so can you please share the i-rule?

 

Thanks

Ashu

0 Kudos

jaikumar_f5
MVP
MVP
In response to Ashu_Aggarwal

‎19-Oct-2020 05:32

You could rather open a new thread, it would have more visibility.

0 Kudos

Stanislas_Piro2
Cumulonimbus
Cumulonimbus

‎01-May-2016 09:05 - last edited on ‎04-Jun-2023 17:40 by Fog

You can try something like that:

when RULE_INIT {
    array set static::timerange {
        1 {"05:30" "13:00"}
        2 {"05:30" "13:00"}
        3 {"05:30" "13:00"}
        4 {"05:30" "13:00"}
        5 {"00:00" "00:00"}
        6 {"00:00" "00:00"}
        7 {"05:30" "13:00"}
    }
}

when HTTP_REQUEST {
    if { ([string tolower [HTTP::uri]] contains "/contractor/") } {    
        set now [clock seconds]
        set current_day [clock format $now -format {%u}]
        lassign $static::timerange($current_day) start end
        if {($now >= [clock scan $start]) && ($now < [clock scan $end])} {
            set denied 0
        } else {set denied 1}
    } else {set denied 0}

    if { $denied } {
        HTTP::respond 200 content "Not Authorised! Contact AdministratorNot Authorised! Contact Administrator..."
    } else {pool POOL_443}
}

you can also use day name instead of number in array...

0 Kudos

Ashu_Aggarwal
Cirrus
Cirrus
In response to Stanislas_Piro2

‎18-Oct-2020 13:58 - last edited on ‎24-Mar-2022 01:17 by Fog

 : Hi, I have a similar requirement & when trying the above i-rule it looks like it blocks the access but it doesn't pick/sync with the system clock. It just keep denying the requests. Can you please suggest?

 

Rgds/Ashu

0 Kudos

Stan_PIRON_F5
F5 Employee
F5 Employee
In response to Ashu_Aggarwal

‎19-Oct-2020 08:30

I don't remember if this code used GMT or local timezone..

 

The comment I wrote above says lassign is not supported... try the code above.

0 Kudos

Stanislas_Piro2
Cumulonimbus
Cumulonimbus

‎02-May-2016 23:51 - last edited on ‎21-Nov-2022 22:26 by Fog

The lassign command does not work in irule.

 

The following code may solve this issue.

 

when RULE_INIT {
    array set static::timerange {
        Sunday {"05:30" "13:00"}
        Monday {"05:30" "13:00"}
        Tuesday {"05:30" "13:00"}
        Wednesday {"05:30" "13:00"}
        Thursday {"05:30" "13:00"}
        Friday {}
        Saturday {}
    }
}

when HTTP_REQUEST {
    if { ([string tolower [HTTP::uri]] contains "/contractor/") } {    
        set now [clock seconds]
        set current_day [clock format $now -format {%A}]
        set start [lindex $static::timerange($current_day) 0]
        set end [lindex $static::timerange($current_day) 1]
        if {($start ne "") && ($end ne "") && ($now >= [clock scan $start]) && ($now < [clock scan $end])} {
            set denied 0
        } else {set denied 1}
        unset start end
    } else {set denied 0}

    if { $denied } {
        HTTP::respond 200 content "Not Authorised! Contact AdministratorNot Authorised! Contact Administrator..."
    } else {pool POOL_443}
    unset denied
}
0 Kudos

Ibrahim_Kadiri
Nimbostratus
Nimbostratus

‎03-May-2016 01:14 - last edited on ‎04-Jun-2023 17:40 by Fog

Stan,

Thanks for the rule, but in your rule the Second condition when HTTP_REQUEST is not being executed. i have created the below rule which is working fine but i need to add one more condition (if { ( [class match [IP::remote_addr] equals clntip]). this condition when i add in the below rule it is not working, remaining the rule is working fine.

Kindly advice.

when RULE_INIT {
    set static::START_OFF_TIME [clock scan "05:30 AM"]
    set static::END_OFF_TIME [clock scan "04:00 PM"]
}

when HTTP_REQUEST {
    set now [clock seconds]
    set current_day [clock format [clock seconds] -format {%u}] }

    if { not ([string tolower [HTTP::uri]] contains "/contracts/")  } { 
        pool POOL_443 
        }
     elseif { ([class match [IP::remote_addr] equals clntip]) && ([string tolower [HTTP::uri]] contains "/contracts/") && ($current_day >= 1 )  && ($current_day < 4 ) && ( $now > $static::START_OFF_TIME ) && ( $now < $static::END_OFF_TIME ) } {
        pool POOL_443
        }
    elseif { ([class match [IP::remote_addr] equals clntip]) && ([string tolower [HTTP::uri]] contains "/contracts/") && ($current_day == 7 ) && ( $now > $static::START_OFF_TIME ) && ( $now < $static::END_OFF_TIME ) && ( [class match [IP::remote_addr] equals clntip]) } {
        pool POOL_443
        }
    elseif { ([string tolower [HTTP::uri]] contains "/contracts/") && ($current_day == 5 ) or ($current_day == 6 ) } {
        HTTP::respond 200 content "Weekend!Its a Weekend! Contact Administrator..."
        }   
 else {
        HTTP::respond 200 content "Not Authorised!Not Authorised! Contact Administrator..."
}

}
0 Kudos

Stanislas_Piro2
Cumulonimbus
Cumulonimbus

‎03-May-2016 02:00 - last edited on ‎04-Jun-2023 17:39 by Fog

Hi,

In the first irule I provided, there was an issue ...

if executing clock scan in RULE_INIT, the date will stay the day the irule was last modified or service restarted.

Try this irule :

when RULE_INIT {
    array set static::timerange {
        Sunday {"05:30" "16:00"}
        Monday {"05:30" "16:00"}
        Tuesday {"05:30" "16:00"}
        Wednesday {"05:30" "16:00"}
        Thursday {"05:30" "16:00"}
        Friday {}
        Saturday {}
    }
}

when HTTP_REQUEST {
    if { ([string tolower [HTTP::uri]] contains "/contractor/") } {
        if {!([class match [IP::remote_addr] equals clntip])} {set denied 1}
        set now [clock seconds]
        set current_day [clock format $now -format {%A}]
        set start [lindex $static::timerange($current_day) 0]
        set end [lindex $static::timerange($current_day) 1]
        if {($start ne "") && ($end ne "") && ($now >= [clock scan $start]) && ($now < [clock scan $end])} {
            set denied 0
        } else {set denied 1}
        unset start end
    } else {set denied 0}

    if { $denied } {
        HTTP::respond 200 content "Not Authorised! Contact AdministratorNot Authorised! Contact Administrator..."
    } else {pool POOL_443}
    unset denied
}
0 Kudos

Stanislas_Piro2
Cumulonimbus
Cumulonimbus

‎09-May-2016 00:23 - last edited on ‎04-Jun-2023 17:37 by Fog

Hi ibrahim,

the following irule may work :

when RULE_INIT {
    array set static::timerange {
        Sunday {"05:30" "16:00"}
        Monday {"05:30" "16:00"}
        Tuesday {"05:30" "16:00"}
        Wednesday {"05:30" "16:00"}
        Thursday {"05:30" "16:00"}
        Friday {}
        Saturday {}
    }
}

when HTTP_REQUEST {
    if { ([string tolower [HTTP::uri]] contains "/contractor/") } {
        if {!([class match [IP::remote_addr] equals clntip])} {
            set denied 1
        } else {
            set now [clock seconds]
            set current_day [clock format $now -format {%A}]
            set start [lindex $static::timerange($current_day) 0]
            set end [lindex $static::timerange($current_day) 1]
            if {($start ne "") && ($end ne "") && ($now >= [clock scan $start]) && ($now < [clock scan $end])} {
                set denied 0
            } else {set denied 1}
            unset start end
        }
    } else {set denied 0}

    if { $denied } {
        HTTP::respond 200 content "Not Authorised! Contact AdministratorNot Authorised! Contact Administrator..."
    } else {pool POOL_443}
    unset denied
}
0 Kudos
Copyright © 2023 Khoros, LLC