I have an application which is internet accessible but the application team has asked me to limit access to specific URIs based upon client ip. I just cannot seem to get the logic right.
I am using the default data group private_net and a second string data group called allowed-uri-list which lists the allowed URIs for Internet users.
when HTTP_REQUEST {
if { {[class match [IP::client_addr] eq private_net ]} } {
# allow access
} elseif {
{[class match [HTTP::uri] equals allowed-uri-list ]}} {
#allow access
} else { HTTP::respond 404 }
}
I keep getting http errors for no response and the tcl engine doesn't like my first if.
18-Aug-202007:56 - last edited on 04-Jun-202321:19 by JimmyPackets
Hi Jim_Bo,
Can you try this?
when HTTP_REQUEST {
if { [class match [IP::client_addr] equals private_net] } {
# allow access
}
elseif { [class match [HTTP::uri] equals allowed-uri-list] } {
# allow access
}
else {
HTTP::respond 404 content "404 Not Found"
}
}
or
when HTTP_REQUEST {
if { not ([class match [IP::client_addr] equals private_net] || [class match [HTTP::uri] equals allowed-uri-list]) } {
HTTP::respond 404 content "404 Not Found"
}
}
Actually after the app team provided the correct app name/vip address, using LTM Traffic Policy made this quick and easy. thanks for your response. My original policy wasn't working because they had me apply and test on a very similar but incorrect VIP.
