iRule for IP restriction with multiple virt servers and multiple DGL of allowed IPs.
I have read through a multitude of threads, but my scenario seems a little unique. A little background so it all makes sense. We serve multiple customers with their own site, each site is a virt server and arte using the header to match rather than a single IP per. Each customer has a unique data group list of allowed IP's. We did not want a single list of allowed IP's in case a customer was emailed an incorrect URL by mistake, or just started browsing other dns records for the domain etc. We are changing our monitoring company and I would like to have a second data group list of IP's that are allowed so that any time there is a change for a source IP of monitoring, one of our offices etc, we don't have to touch 100 lists. The current iRule we are using is: when HTTP_REQUEST priority 100 { # This iRule will check if the client request is SITE.DOMAIN.COM and the client source IP is NOT a member of the datagroup specified which is a list of allowed IPs # If the client ip address is matched to the list of allowed IPs then it will bring up the web page, if it isnt, then it will bring up the COMPANY IP Forbidden Page. if { ( [string tolower [HTTP::host]] equals "1000-t01.DOMAIN.COM" ) and not ( [class match [IP::client_addr] equals COMPANY-1000-CUSTOMER-DG-Allow ] ) } { # log local0."Invalid CUSTOMER client IP: [IP::client_addr] - Blocking traffic" HTTP::respond 200 content [ifile get COMPANY_ip_forbidden] after 50 drop event disable } } How do I add the second data group, and allow if the source IP is in either of the two data groups?
Whitelist Blacklist iRule using data group for multiple clients
We are testing single VIP configuration in our test lab, where single public IP will be assigned to multiple clients, using an iRule with a data group. iRule looks like this --- when HTTP_REQUEST { set pool [class match -value -- [HTTP::host] equals test_url] if {$pool ne ""} { pool $pool } } test_url is data group which has strings mapped to appropriate pools of each client. For example, string client1.com mapped to pool client1.net. string client2.com mapped to pool client2.net Now the issue is we want to include whitelist/blacklist for these clients in the same iRule if possible or even a separate iRule would be OK. Could someone suggest the syntax for whitelising/blacklisting based on client string and remote IP pair in data group? For example, if string has client1 and matches dg_whitelist_1, allow. if string has client2 and matches dg_whitelist_2, allow. if string has client3 and matches dg_blacklist_1, deny. There are also clients with no whitelist/blacklist, so it should work just fine for them within same iRule.
Whitelist via FTP
Question, I have created whitelist in the past, but have been recently been asked to create a whitelist for FTP clients. THe premise of the rule is, if you come this IP address, get directed to this pool. Else, go to this IP address. Would I have to invoke a client_Accept instead of a HTTP_REQUEST? when HTTP_REQUEST { if {not ([class match [IP::remote_addr] equals Whitelist_Sorry]) } { pool some_FTP_Pool } else { pool some_other_FTP_Pool log local0. "Condition not matched. Go here.." } } class Whitelist_Sorry { { host 10.10.5.139 network 172.16.0.0/16 } }logging only when statment is true.
Hi, I am using the following irule that works perfectly but I would like to insert a log local statement that only logs if an attempt is made that does not meet the IP list (a log on the blocking essentially). Can someone please help me with the syntax to do so? when HTTP_REQUEST { if { [string tolower [HTTP::path]] contains “/blah” } { if { ! [class match [IP::client_addr] equals allowed_IPs]} { discard } } }Single iRule for multiple customers to whitelist blacklist via data group
We have been using separate whitelist/blacklist for each customer so far, since we used separate VIP for each customer. But we are now planning to move to single VIP configuration to handle traffic for all customers for which we have the iRule in our test lab which works fine for our requirement. However we would also like to have one common iRule for whitelist/blacklist that can be handle traffic via data group, to avoid editing iRule for every new customer addition. Please suggest syntax for the same. when HTTP_REQUEST { if { ([matchclass [string tolower [HTTP::host][HTTP::uri]] contains "Customer1_Blacklist_URLs"]) and ([matchclass [IP::remote_addr] equals "Customer1_Blacklist_IPs"]) } { HTTP::respond 403 } } when HTTP_REQUEST { if{ ([matchclass [string tolower [HTTP::host][HTTP::uri]] contains "Customer2_Blacklist_URLs"]) and ([matchclass [IP::remote_addr] equals "Customer2_Blacklist_IPs"]) } { HTTP::respond 403 } }iRule for Whitelist basepath
He guys, I am new on F5 BIG-IP. I want to allow the url: https://test.biranetworxx.com/* and restrict the basepath https://test.biranetworxx.com/provider/test* for only one IP. https://test.biranetworxx.com/* must be avail for all https://test.biranetworxx.com//provider/test* must be avail only for a single IP 185.XX.XX.120 Could you please advice. I tried to do that with ltm policy but the restriction is not applied. And I can 't see the problem. Thanking you for your time and response regards
