cancel
Showing results for 
Search instead for 
Did you mean: 

Restrict access by uri and ip

FlorianM_29948
Nimbostratus
Nimbostratus

Hi everyone i'm new to the F5 community and i'm having troubles with an iRule.

 

 

I need to be abble to restrict the access of many uri based on multiple ip addresses who may vary between each uri. I would like to have the most clear and short iRule possible in order to be able to modify it later with ease. (I'm in V10.2.4)

 

 

I came up with that iRule and it works but i would like to replace the if-elseif statements with a switch for more clarity :

 

 

when HTTP_REQUEST {

 

 

switch -glob [HTTP::uri] {

 

"/error*" {

 

if { [class match [IP::client_addr] equals ipgrouptest] } {

 

if the client IP match the ipgrouptest class we do nothing

 

}

 

elseif { [class match [IP::client_addr] equals ipgrouptest2] } {

 

if the client IP match the ipgrouptest2 class we do nothing

 

}

 

else { HTTP::respond 403 }

 

}

 

 

"/example*" {

 

if { [class match [IP::client_addr] equals ipgrouptest] } {

 

if the client IP match the ipgrouptest class we do nothing

 

}

 

elseif { [class match [IP::client_addr] equals ipgrouptest3] } {

 

if the client IP match the ipgrouptest3 class we do nothing

 

}

 

else { HTTP::respond 403 }

 

}

 

}

 

}

 

 

Despite trying a lot of stuff I can't make it work like I want it to. If someone have an idea or a solution for my problem it would be really nice !

 

 

Thanks in advance and sorry if i'm not clear enough, english is not my mother tongue.

 

3 REPLIES 3

What_Lies_Bene1
Cirrostratus
Cirrostratus
This reduces it somewhat;

 

when HTTP_REQUEST { switch -glob [HTTP::uri] { "/error*" { if { (([class match [IP::client_addr] equals ipgrouptest]) or ([class match [IP::client_addr] equals ipgrouptest2])) } { If the client IP match the ipgrouptest/2 class we do nothing } else { HTTP::respond 403 } } "/example*" { if { (([class match [IP::client_addr] equals ipgrouptest]) or ([class match [IP::client_addr] equals ipgrouptest3])) } { If the client IP match the ipgrouptest/3 class we do nothing } else { HTTP::respond 403 } } } }

nitass
F5 Employee
F5 Employee
I came up with that iRule and it works but i would like to replace the if-elseif statements with a switch for more clarity :i do not think you can perform class match in switch string. anyway, if there is no performance issue, your code looks okay to me.

FlorianM_29948
Nimbostratus
Nimbostratus
Posted By nitass on 11/27/2012 03:39 AM

 

I came up with that iRule and it works but i would like to replace the if-elseif statements with a switch for more clarity : i do not think you can perform class match in switch string. anyway, if there is no performance issue, your code looks okay to me.

 

That's the conclusion i reach also, class match in switch string doesn't seem to be a good idea.

 

 

I don't think i'll have performance issue since my server has a lot of ressources always available so...

 

 

Anyway thanks for the answers I think i'm going to replace the "elsif" with "or " that will make me gain some lines.