Nimbostratus
Nimbostratus
when HTTP_REQUEST {
switch -glob [HTTP::uri] {
"/healthcheck" {
if { not (([IP::client_addr] equals 10.0.0.0/8) || ([IP::client_addr] equals 172.16.0.0/12) || ([IP::client_addr] equals 192.168.0.0/24)) } {
HTTP::respond 403 content {Blocked!}
}
}
}
}
BigIP is protesting with this though:
01070151:3: Rule [block_public_healthcheck] error: line 4: [parse error: PARSE syntax 128 {syntax error in expression " not (([IP::client_addr] equals 10.0.0.0/8) || ([IP::client_...": looking for close parenthesis}] [{ not (([IP::client_addr] equals 10.0.0.0/8) || ([IP::client_addr] equals 172.16.0.0/12) || ([IP::client_addr] equals 192.168.0.0/24)) }]
and I can't tell if it's because I'm actually using incorrect language, as I'm not seeing a missed close paren. Thanks!
Employee
if { not ( ( [IP:: addr [IP::client_addr] equals 10.0.0.0/8] ) or ( [IP::addr [IP::client_addr] equals 172.16.0.0/12] ) or [IP::addr [IP::client_addr] equals 192.168.0.0/24] ) ) } {
CirrostratusNimbostratusHi Kevin- Thanks a bunch, this at least got me to save, and testing now. I'll follow up with f5 to see if we can jettison the understanding that our team got before about the data groups. Thanks again!
NimbostratusHi Christopher- thanks a lot for this information, too. I'm following up here and with f5 to see where this idea came from, and if we can ignore it. Regards, Lorenz
Colin
NimbostratusHi,
I resolved this problem, then use
when HTTP_REQUEST { switch -glob [IP::client_addr] { "200.34.20.0/20" { set status "OK" } "172.16.0.0/16" { set status "OK" } "10.0.0.0/8" { set status "OK" } } if { $status != "OK" } { if { [HTTP::uri] matches "/admin/" or [HTTP::uri] matches "/administrator/" or [HTTP::uri] matches "/administracao/*" } { HTTP::redirect http://[HTTP::host] } } }
CirrostratusDear All,
I have tried below iRule with the intension to access specific URI (testapi.apsx) from specific IP which is part of testapiAllowList datagroup , however when I am trying to access URI (testapi.aspx), it is still accessible from the IP which is not part of testapiAllowList datagroup
======================= when HTTP_REQUEST { if { [string tolower [HTTP::path]] contains "/testapi.aspx" } { if { !([matchclass [IP::client_addr] equals testapiAllowList])} { discard }
==========
As per my understanding, if I am not part of testapiAllowList datagroup, I should not able to access URI "/tetsapi.aspx"
Kindly correct me if I am wrong
EmployeeThe logic here seems sound. What does your data group look like?
Maybe add some logging to see what's going on.
when HTTP_REQUEST {
if { [string tolower [HTTP::path]] contains "/testapi.aspx" } {
if { !([matchclass [IP::client_addr] equals testapiAllowList]) } {
log local0. "discarding"
discard
} else {
log local0. "allowing"
}
} else {
log local0. "something else"
}
}
Dear All,
I have tried below iRule with the intension to access specific URI (testapi.apsx) from specific IP which is part of testapiAllowList datagroup , however when I am trying to access URI (testapi.aspx), it is still accessible from the IP which is not part of testapiAllowList datagroup
======================= when HTTP_REQUEST { if { [string tolower [HTTP::path]] contains "/testapi.aspx" } { if { !([matchclass [IP::client_addr] equals testapiAllowList])} { discard }
==========
As per my understanding, if I am not part of testapiAllowList datagroup, I should not able to access URI "/tetsapi.aspx"
Kindly correct me if I am wrong
EmployeeThe logic here seems sound. What does your data group look like?
Maybe add some logging to see what's going on.
when HTTP_REQUEST {
if { [string tolower [HTTP::path]] contains "/testapi.aspx" } {
if { !([matchclass [IP::client_addr] equals testapiAllowList]) } {
log local0. "discarding"
discard
} else {
log local0. "allowing"
}
} else {
log local0. "something else"
}
}