Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Allow a specific resource's access based on source IP addresse's

Hello, I have a need to create an iRule for a url with 2 endpoints.

endpoint1 = myCertCN/path1

endpoint2 = myCertCN/path2

I need to :

  • expose endpoint1 to all IP's,
  • expose endpoint2 to 3 IP sets, (10.10.10.10, 11.11.11.56/29, 12.12.12.208/29)

Is below syntax correct?

when HTTP_REQUEST {

set httpUri [HTTP::uri]

set clientIp [class match -value [IP::client_addr] equals allowed_ip_addresses]

if { $httpUri starts_with "/path2" && $clientIp not equals "10.10.10.10" } {

drop

} else if { $httpUri starts_with "/path2" && $clientIp not equals "11.11.11.56/29" } {

drop

} else if { $httpUri starts_with "/path2" && $clientIp not equals "12.12.12.208/29" } {

drop

} else {

pool

}

}

In above example pool points to ip:port of myCertCN.

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Setup a data group with type IP Addresses and add the allowed IP address subnets to it, name it ‘allowed_ip_addresses’ and the following iRule should do the job.

when HTTP_REQUEST {
  set httpUri [string tolower [HTTP::uri]]
  set clientIp [getfield [IP::client_addr] “%” 1]  
  
  # check uri path and cline tip is not in the allowed list
  if {($httpUri starts_with "/path2") && !([class match $clientIp allowed_ip_addresses])} {

    # drop or reject to end the connection    
    drop

  }
}
0