Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

irule to allow specific url and drop everything else base on src ip

Hello,

Need help to add some condition to work irule,

I have irule that deny access to uri that contains "admin" "login" and "mydb" From all ip address except my ip

This the irule: (work) when HTTP_REQUEST {

  • check the Class to determine if it's not allowed
  • deny access to site /admin and /login from external ip address
  • Allow only my ip address to connect site /admin and /login

if {[HTTP::uri] contains "admin" || [HTTP::uri] contains "login" || [HTTP::uri] contains "mydb"} { if {not[class match [IP::client_addr] equals my_ip_Address] } { log local0. "dropped connection my ip address[IP::client_addr]" reject } } }

Now i need to add to this irule: allow all to reach url site.domain.com that contains uri /xxx/yyy/zzz and after that above url.

Thanks

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hello,

Try this

   when HTTP_REQUEST {

 if {[HTTP::uri] contains "admin" || [HTTP::uri] contains "login" || [HTTP::uri] contains "mydb"} { 
    if {not[class match [IP::client_addr] equals my_ip_Address] } { 
    log local0. "dropped connection my ip address[IP::client_addr]" 
    reject 
   } 
 } 

 if { !(([string tolower [HTTP::host]] eq "site.domain.com") and ([HTTP::path] starts_with "/xxx/yyy/zzz")) } {
  log local0. "rejected request [HTTP::uri] for client [IP::client_addr]"
  reject
  }
}
0
Comments on this Answer
Comment made 18-May-2017 by Rafish 143

Hi, Thank you for your replay

i actually need to allow this. if { !(([string tolower [HTTP::host]] eq "site.domain.com") and ([HTTP::path] starts_with "/xxx/yyy/zzz")) } { log local0. "rejected request [HTTP::uri] for client [IP::client_addr]" reject } }

Should this configuration be above ?

if {[HTTP::uri] contains "admin" || [HTTP::uri] contains "login" || [HTTP::uri] contains "mydb"} { if {not[class match [IP::client_addr] equals my_ip_Address] } { log local0. "dropped connection my ip address[IP::client_addr]" reject } }

I goal is to allow all access to specific url and after that to check my original irule if {[HTTP::uri] contains "admin" || [HTTP::uri] contains "login" || [HTTP::uri] contains "mydb"} { if {not[class match [IP::client_addr] equals my_ip_Address] } { log local0. "dropped connection my ip address[IP::client_addr]" reject } }

0
Comment made 18-May-2017 by Jad Tabbara (JTI) 2361

Hello Rafish,

The irule that I posted earlier will reject all request not matching your condition :

([string tolower [HTTP::host]] eq "site.domain.com") and ([HTTP::path] starts_with "/xxx/yyy/zzz")

To clarify, the "!" and the beginning will act as the "not"

So only requests comming with "site.domain.com/xxx/yyy/zzz" will be allowed to pass through this irule.

0
Comment made 18-May-2017 by Rafish 143

Hi,

Can you help me edit this ?

when HTTP_REQUEST {

check the Class to determine if it's not allowed

deny access to wordpress /admin and /login from external ip address

Allow only my ip address to connect site /admin and /login

if { !(([string tolower [HTTP::host]] eq "site.net.domain.com")) } { log local0. "allow request [HTTP::uri] for client [IP::client_addr]" }
#Allow above request elseif{[HTTP::uri] contains "admin" || [HTTP::uri] contains "login" || [HTTP::uri] contains "mydb"} { if {not[class match [IP::client_addr] equals my_ip_Address] } { log local0. "dropped connection my ip address[IP::client_addr]" reject } } }

The goal is to allow all ip's to site.net.domain.com and reject all ip to reach admin' login, mydb except my ip address

0
Comment made 20-May-2017 by Rafish 143

Hi JT,

Your answer was very helpful,

I delete the "i" (not) from the irule and by doing that i can allow only my ip to get to uri contains admin, login

Except "site.domain.com".

Attached irule after i changed it:

when HTTP_REQUEST {

if {[HTTP::uri] contains "admin" || [HTTP::uri] contains "login" || [HTTP::uri] contains "mydb"} { if {not[class match [IP::client_addr] equals my_ip_Address] } { log local0. "dropped connection my ip address[IP::client_addr]" reject } }

if { ([string tolower [HTTP::host]] contains "site.domain.com") } { log local0. "rejected request [HTTP::uri] for client [IP::client_addr]" } } I have to check it again but it seems to be definitely what I was looking for.

Thanks .

1
Comment made 22-May-2017 by Jad Tabbara (JTI) 2361

Hello Rafish,

Thanks for the feedback

Hope that you find the trick

Regards

0
Comment made 22-May-2017 by Rafish 143

Hi JT,

Yes i done some adjustments and it looks good for now, we are still checking.

Thanks again :)

Regards Rafi

0