Forum Discussion
hooleylist
Jul 09, 2009Cirrostratus
Hi JC,
You could do this all in an iRule or you could create three address type datagroups (users_A_class, users_B_class & users_C_class) and then reference them in an iRule:
when HTTP_REQUEST {
Check the requested URI
switch -glob [string tolower [HTTP::path]] {
"/folderA*" {
Reset the request if if the source IP is not allowed
if {not ([matchclass [IP::client_addr] equals $::users_A_class])}{
reject
}
"/folderB*" {
Reset the request if the source IP is not allowed
if {not ([matchclass [IP::client_addr] equals $::users_B_class])}{
reject
}
"/folderC*" {
Reset the request if the source IP is not allowed
if {not ([matchclass [IP::client_addr] equals $::users_C_class])}{
reject
}
default {
Reset the request
reject
}
}
}
Be aware that a malicious user could potentially bypass the validation using path manipulations if they were part of any of the allowed clients datagroups. For example a client in user_A made a request for /folderA/../any/other/directory/, it would pass the iRule logic but potentially be parsed as /any/other/directory/ by the webserver.
See this post for more examples (http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&tpage=1&view=topic&postid=30900).
Aaron