cancel
Showing results for 
Search instead for 
Did you mean: 

iRule to selectively allow limited access by client IP

Jim_Bo
Nimbostratus
Nimbostratus

I have an application which is internet accessible but the application team has asked me to limit access to specific URIs based upon client ip. I just cannot seem to get the logic right.

 

I am using the default data group private_net and a second string data group called allowed-uri-list which lists the allowed URIs for Internet users.

 

when HTTP_REQUEST {

  if { {[class match [IP::client_addr] eq private_net ]} } {

  # allow access

} elseif { 

  {[class match [HTTP::uri] equals allowed-uri-list ]}} {

#allow access

  } else { HTTP::respond 404 }

}

 

I keep getting http errors for no response and the tcl engine doesn't like my first if.

 

What am I doing wrong?

2 REPLIES 2

Hi Jim_Bo,

 

Can you try this?

when HTTP_REQUEST { if { [class match [IP::client_addr] equals private_net] } { # allow access } elseif { [class match [HTTP::uri] equals allowed-uri-list] } { # allow access } else { HTTP::respond 404 content "404 Not Found" } }

or

when HTTP_REQUEST { if { not ([class match [IP::client_addr] equals private_net] || [class match [HTTP::uri] equals allowed-uri-list]) } { HTTP::respond 404 content "404 Not Found" } }

 

Jim_Bo
Nimbostratus
Nimbostratus

Actually after the app team provided the correct app name/vip address, using LTM Traffic Policy made this quick and easy. thanks for your response. My original policy wasn't working because they had me apply and test on a very similar but incorrect VIP.