cancel
Showing results for 
Search instead for 
Did you mean: 

Redirect when the client address is not equal to the networks in datagroup

Santhosh
Nimbostratus
Nimbostratus

Trying to redirect to the site when the client address is not equal to the datagroup but it's not working. Any help appreciated.

when HTTP_REQUEST {

if { not [matchclass [IP::client_addr] equals XYZ_group } {

  HTTP::respond 301 Location "http://rextrum.com/xyz"

}

12 REPLIES 12

Hello Santhosh.

 

Try this code instead:

if { not [class match [IP::client_addr] contains XYZ_group] } { HTTP::respond 301 Location "http://rextrum.com/xyz" }

KR,

Dario.

Regards,
Dario.

for some reason it's not liking the contains with in that. So I used equals but it's failing on redirection where it's throwing a error page.

Sure, equals is OK.

when HTTP_REQUEST { if { not [class match [IP::client_addr] equals XYZ_group] } { HTTP::respond 301 Location "http://example.com/xyz" } }

Test it from my lab and it's working fine.

 

I think your issue is in your data-group. Could you share the next command output (from TMSH)?

list ltm data-group internal XYZ_group

KR,

Dario.

Regards,
Dario.

ltm data-group internal XYZ_group {

  records {

    10.0.0.0/8 { }

  }

  type ip

}

Dario,

one more thing I forgot to mention is the Virtual server is a HTTPS on and the redirection site is HTTP. Does that causes any issue?

Hello Santhosh.

 

Not necessary. The best way to see if the iRule is working is to check using CLI instead of browser. Try this command and show us the output (remember to use a client with an IP not included in the data-group):

curl -skv https://<your_vs_ip>:port

KR,

Dario.

Regards,
Dario.

I have changed the hostname in the result

* Rebuilt URL to: https://example.org/

*  Trying 192.187.145.2...

* Connected to example.org (192.187.145.2) port 443 (#0)

* ALPN, offering h2

* ALPN, offering http/1.1

* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH

* successfully set certificate verify locations:

*  CAfile: /etc/pki/tls/certs/ca-bundle.crt

 CApath: none

* TLSv1.2 (OUT), TLS header, Certificate Status (22):

* TLSv1.2 (OUT), TLS handshake, Client hello (1):

* TLSv1.2 (IN), TLS handshake, Server hello (2):

* TLSv1.2 (IN), TLS handshake, Certificate (11):

* TLSv1.2 (IN), TLS handshake, Server key exchange (12):

* TLSv1.2 (IN), TLS handshake, Server finished (14):

* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):

* TLSv1.2 (OUT), TLS change cipher, Client hello (1):

* TLSv1.2 (OUT), TLS handshake, Finished (20):

* TLSv1.2 (IN), TLS change cipher, Client hello (1):

* TLSv1.2 (IN), TLS handshake, Finished (20):

* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384

* ALPN, server did not agree to a protocol

* Server certificate:

*    subject: C=US; ST=ca; L=sacramento; O=Company; OU=NMS; CN=example.org

*    start date: Jul 2 00:00:00 2018 GMT

*    expire date: Jul 5 12:00:00 2020 GMT

*    issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=Thawte RSA CA 2018

*    SSL certificate verify ok.

> GET / HTTP/1.1

> Host: example.org

> User-Agent: curl/7.47.1

> Accept: */*

* SSL read: error:00000000:lib(0):func(0):reason(0), errno 104

* Closing connection 0

The issue is not in the iRule/Data-group. It's in other part of your configuration.

 

1) Could you confirm that your VS can operate regularly in case of matching the data-group (the other scenario)?

 

2) Could you share your VS/client-ssl configuration?

tmsh list ltm virtual <VS_name> tmsh list ltm profile client-ssl <Client-ssl_name>

KR,

Dario.

Regards,
Dario.

Shaun_Simmons
F5 Employee
F5 Employee

Try this

-Modify "original_pool" to the default Pool name for the VIP

when HTTP_REQUEST { set host [string tolower [HTTP::host]] if {![ class match $host equals XYZ_group ] } { HTTP::respond 301 Location "http://rextrum.com/xyz" } else { pool original_pool } }

 

ragunath154
Cirrus
Cirrus

enable the log and make sure the condition is sucessfull or not

 

when HTTP_REQUEST {

if { not[class match [IP::client_addr] equals XYZ_group } {

log local0. "SUCCESS REDIRECTING THE USER [IP::client_addr] TO NEW DOMAIN "

 HTTP::respond 301 Location "http://rextrum.com/xyz"

}

}

 

in console type tail -f /var/log/ltm to check the log in realtime.

also use developer tool in browser to check the response .

Hi Ragunath,

 

I can see that in the logs but it's still breaking and when I verified in the developer tools. I don't see any kind of 301 in that.

can you post those logs here

 

also try

 

HTTP::redirect

 

 

when HTTP_REQUEST {

if { not[class match [IP::client_addr] equals XYZ_group } {

log local0. "SUCCESS REDIRECTING THE USER [IP::client_addr] TO NEW DOMAIN "

 HTTP::redirect "http://rextrum.com/xyz"

}

}