Forum Discussion
Andy_Herrman_22
Jul 01, 2008Nimbostratus
Here's pseudocode for the iRule:
if ( (path is a secure path) AND (ip address is not trusted) ) {
discard
} else {
forward
}
If the path is not one of the secure paths then the first check will be false, causing the else clause to be executed.
If the IP address is a trusted address then the second part of the IF check will be false, causing the else clause to be executed.
So, anyone who is trusted should always be allowed in. If they aren't trusted but don't try to go to a secure path they should be allowed in.
Here's another way to write the rule that might be a little clearer, though the logic is exactly the same as the previous one.
when HTTP_REQUEST {
if { [matchclass [string tolower [HTTP::uri]] starts_with $::securePaths] } {
if { [matchclass [IP::client_addr] equals $::trustedAddresses] } {
Secure path and trusted IP
log local0. "Allowing connection from [IP::client_addr] to secure path [HTTP::uri]"
forward
} else {
Secure path but not a trusted IP
log local0. "Untrusted IP ([IP::client_addr]) attempting to access secure path ([HTTP::uri])"
discard
}
} else {
Not a secure path
log local0. "Allowing connection from [IP::client_addr] to [HTTP::uri]"
forward
}
}