Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Clear all filters
Answers

irule to drop based on url and source ip

I have never had to write an irule until now. Does someone have a template I could use to create an irule that would only allow a specific source IP/subnet to access a specific url, else be dropped? thank you!

0
Rate this Discussion

Replies to this Discussion

placeholder+image

Hello,

You can start with the following :

when HTTP_REQUEST {
    if { !([HTTP::uri] equals "/path/to/app" and  [IP::client_addr] equals "10.0.0.8" ) } {
     reject
    } 
}
0
Comments on this Reply
Comment made 11-May-2016 by F5userERAU 1
Yann Thank you very much for the quick reply! I'm under time pressure and just downloaded Ivenson book to work through it, so this is very much appreciated. I'll give it a try shortly.
0
Comment made 11-May-2016 by F5userERAU 1
Yann We are not getting the expected behavior. Your logic made sense to us. So as a reality check we simply wanted to try to block my IP with the following (actual ip used for the x's) and it failed to block: when HTTP_REQUEST { if { ([IP::client_addr] equals "x.x.x.x" ) } { reject } } This got me wondering if any special action is required to update a change or if an http profile is also needed. We are running automap nat and wondered if perhaps the client IP needs special handling. We're running 11.5.2. thank you
0
Comment made 11-May-2016 by Yann Desmarest 4499
Yes, you need to add an http profile to your VS, otherwise, the HTTP_REQUEST will fail. If you want to test without http profile, you can try the following I will add in a new post for formatting issues
0
Comment made 11-May-2016 by Stanislas Piron 10640
of course, HTTP profile is required to raise HTTP_REQUEST event. if you need to reject TCP connection, you can use the following irule: when CLIENT_ACCEPTED { if { ([IP::client_addr] equals "x.x.x.x" ) } { reject } }
0
Comment made 11-May-2016 by F5userERAU 1
Thank you for your patience. Hmmm.. We did have an http profile applied during the test, with the default http parent and only XForward enabled. Do I need to enable anything else on the http profile for the original irule to work?
0
Comment made 11-May-2016 by Yann Desmarest 4499
No, the default http profile should works. Are you going to your VS through a proxy ? Maybe you can add some logs after when HTTP_REQUEST { log local0. "[virtual] - client ip : [IP::client_addr] - uri : [HTTP::uri]"
0
Comment made 11-May-2016 by F5userERAU 1
No proxy. We are doing SSL offloading (decrypt). Sorry for not mentioning that if it makes a difference.
0
Comment made 11-May-2016 by Yann Desmarest 4499
If you set a clientssl profile, it's ok :)
0
Comment made 12-May-2016 by F5userERAU 1
Yann F5 support is looking into this. Seems to be a bug. ACL executes but does not drop. Too be continued. Thanks again for your help. I'll update once we get to the bottom of it.
0
Comment made 12-May-2016 by F5userERAU 1
Sorry , correction ACL = irule.
0
placeholder+image

You can also choose to use datagroups like this :

when HTTP_REQUEST {
    if { !([HTTP::uri] equals "/path/to/app" and [class match [IP::remote_addr] equals ip_blocklist]) } { 
        reject
    }   
}

Of course, you will need to create a datagroup of type string named ip_blocklist before

0
placeholder+image

and Finally, if you have more than one url to check, you can use switch operator instead of if :

when HTTP_REQUEST {
   switch -glob [HTTP::uri] {
      "/uri1/*" -
      "*/uri2/" { reject }
      "/uri3/" { drop }
      default {
         pool mypool
      }
   }
}

In this scenario, every uri that match "/uri1/" or "/uri2/" will be rejected.

Reject force the bigip to send a tcp reset to the client

drop tell the bigip to silently drop the connection

0
placeholder+image

and Finally, if you have more than one url to check, you can use switch operator instead of if :

when HTTP_REQUEST {
   switch -glob [HTTP::uri] {
      "/uri1/*" -
      "*/uri2/" { reject }
      "/uri3/" { drop }
      default {
         pool mypool
      }
   }
}

In this scenario, every uri that match "/uri1/" or "/uri2/" will be rejected.

Reject force the bigip to send a tcp reset to the client

drop tell the bigip to silently drop the connection

0
placeholder+image
when CLIENT_ACCEPTED {
    if { ([IP::client_addr] equals "10.0.0.8" ) } {
     reject
    } 
}
0
placeholder+image

If I wanted to do the reverse of this. Say I wanted to reject everything except /uri1 and /uri2. What would be the action I place in the brackets?

0