Forum Discussion

Jim_Bo's avatar
Jim_Bo
Icon for Nimbostratus rankNimbostratus
Aug 18, 2020

iRule to selectively allow limited access by client IP

I have an application which is internet accessible but the application team has asked me to limit access to specific URIs based upon client ip. I just cannot seem to get the logic right.

 

I am using the default data group private_net and a second string data group called allowed-uri-list which lists the allowed URIs for Internet users.

 

when HTTP_REQUEST {

  if { {[class match [IP::client_addr] eq private_net ]} } {

  # allow access

} elseif { 

  {[class match [HTTP::uri] equals allowed-uri-list ]}} {

#allow access

  } else { HTTP::respond 404 }

}

 

I keep getting http errors for no response and the tcl engine doesn't like my first if.

 

What am I doing wrong?

2 Replies

  • Hi Jim_Bo,

    Can you try this?

    when HTTP_REQUEST {
    	if { [class match [IP::client_addr] equals private_net] } {
    		# allow access
    	}
    	elseif { [class match [HTTP::uri] equals allowed-uri-list] } {
    		# allow access
    	}
    	else {
    		HTTP::respond 404 content "404 Not Found"
    	}
    }

    or

    when HTTP_REQUEST {
    	if { not ([class match [IP::client_addr] equals private_net] || [class match [HTTP::uri] equals allowed-uri-list]) } {
    		HTTP::respond 404 content "404 Not Found"
    	}
    }
  • Jim_Bo's avatar
    Jim_Bo
    Icon for Nimbostratus rankNimbostratus

    Actually after the app team provided the correct app name/vip address, using LTM Traffic Policy made this quick and easy. thanks for your response. My original policy wasn't working because they had me apply and test on a very similar but incorrect VIP.