Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

iRule assistance

I have an iRule in my environment that was not written by me. This iRule is supposed to block anyone from an external IP from reaching the "heartbeat" page of our web servers. It is written as such:

when HTTP_REQUEST { 
   if { [string tolower [HTTP::path]] contains "/heartbeat" } { 
      if { !([matchclass [IP::client_addr] equals private_net])} { 
         discard 
      }
   }
}

My question is twofold.

1) Is the exclamation point (!) in the second "if" statement excluding the "private_net" parameter. The iRules name is irule_block_heartbeat_from_external_IPs but the private_net data group is made up of internal IP's (10.0.0.0, 172.16.0.0. 192.168.0.0 etc).

2) I would like to add "/health" to this iRule as well, in addition to the "/heartbeat" how would i do that?

Thanks.

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

! is shorthand for "not", so yes any IP not in your datagroup will be blocked

For the extra page I'd consider using starts_with as it's more efficient than contains, and since you're doing a string tolower maybe set the lowercase path as a variable.

Something like this should do it

when HTTP_REQUEST { 
    set lcpath [string tolower [HTTP::path]]

    if { ($lcpath starts_with "/heartbeat") or ($lcpath starts_with "/health") } { 
    if { !([matchclass [IP::client_addr] equals private_net])} { 
     discard 
        }
     }
   }
0
Comments on this Answer
Comment made 22-Feb-2018 by ccraddock 68

Dan,

Thanks so much for the reply and suggestion! I will see about implementing this solution! Thanks again!

0
Comment made 22-Feb-2018 by Dan Bowman 227

No problem, I hope it works as required for you!

0