Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

limit access from source 192.168.1.1 to single URL and permit all others

Dears,

I'm trying to write an irule that limit access from source 192.168.1.1 to single url : www.abc.com/test else permit to all.When applying the below on VS its not working anymore. it should be when http_request or when_client_accepted ?

when HTTP_REQUEST { if { !([HTTP::uri] equals "www.abc.com/test"; and [IP::client_addr] equals "192.168.1.1/32" ) } { reject }

}

0
Rate this Question
Comments on this Question
Comment made 23-Jan-2018 by Daniel Varela 711

irules don't use semicolon. I think this is more what you want to do:

when HTTP_REQUEST { if { ([HTTP::uri] ne "/test") and ([IP::client_addr] equals "192.168.1.1" ) } { reject } }

HTTP::uri will return just the uri without the hostname.

0
Comment made 23-Jan-2018 by aboulleill 64

Dears,

I just applied this on live environment :

when HTTP_REQUEST { if {!([HTTP::uri] equals "/cvs/chn.website.cvs.Account_1.0?wsdl") and ([IP::client_addr] equals "192.168.100.201")} { reject }

but 192.168.100.201 is still able to access everything. the urls in question are https://

0
Comment made 23-Jan-2018 by Daniel Varela 711

You are blocking all the URLs except "/cvs/chn.website.cvs.Account_1.0?wsdl" to that IP. Adjust the first comparison to get what you expect. I think in your case is [HTTP::uri] ne "/cvs/chn.website.cvs.Account_1.0?wsdl"

1
Comment made 23-Jan-2018 by Emre Ovali 203

Hi aboulleill,

Could you please try to use this irule?

when HTTP_REQUEST {
if {[IP::client_addr] equals "192.168.100.201" }{
        if {[string tolower [HTTP::uri]] equals "/cvs/chn.website.cvs.account_1.0?wsdl" } {
            drop
    }
}
}
0
Comment made 23-Jan-2018 by aboulleill 64

Dears,

I'm trying to block all URLs except "/cvs/chn.website.cvs.Account_1.0?wsdl" to source IP address 192.168.100.201.But until now 192.168.100.201 is still able to access other URLs like if the irule doesn't exists (trying below two irules codes):

https://prodfmw-osb.bm.com.lb/OmegaIntegration/proxy/BankMedOmegaIntegrationWS?wsdl (still opening not a normal behavior)

https://prodfmw-osb.bm.com.lb/cvs/chn.website.cvs.Account_1.0?wsdl (still opening its normal)

irule 1 :

when HTTP_REQUEST { if {[IP::client_addr] equals "192.168.100.201" }{ if {[string tolower [HTTP::uri]] ne "/cvs/chn.website.cvs.account_1.0?wsdl" } { drop } } }

irule 2 :

when HTTP_REQUEST { if { ([HTTP::uri] ne "prodfmw-osb.bm.com.lb/cvs/chn.website.cvs.Account_1.0?wsdl") and ([IP::client_addr] equals "192.168.100.201")} { reject } }

0
Comment made 24-Jan-2018 by Emre Ovali 203

You should use the "not" only for the beginning of the if sentece

when HTTP_REQUEST {
if {[IP::client_addr] equals "192.168.100.201" }{
        if {not ([string tolower [HTTP::uri]] equals "/cvs/chn.website.cvs.account_1.0?wsdl") } {
            drop
    }
}
}
0
Comment made 24-Jan-2018 by Daniel Varela 711

Add some debugging to your irule as well:

when HTTP_REQUEST { 
log local0. "URI: [HTTP::uri]"
log local0. "IP: [IP::client_addr]"
if { ([HTTP::uri] ne "prodfmw-osb.bm.com.lb/cvs/chn.website.cvs.Account_1.0?wsdl") and  ([IP::client_addr] equals "192.168.100.201")} { 
     reject 
    } 
}

The URI you have in the log have to be the same you have in your if.

0
Comment made 24-Jan-2018 by aboulleill 64

Dears,

Still not working...

Best Regards, Ralph El Haber

0
Comment made 24-Jan-2018 by Daniel Varela 711

Hi Ralph, Please add debugging and post it here otherwise is really difficult to see where is the problem. You can find that by executing tail -f /var/log/ltm in rhe command line.

when HTTP_REQUEST { 
log local0. "URI: [HTTP::uri]"    
log local0. "IP: [IP::client_addr]"
if { ([HTTP::uri] ne "/cvs/chn.website.cvs.Account_1.0?wsdl") and  ([IP::client_addr] equals "192.168.100.201")} { 
     reject 
    } 
}

Some notes: HTTP::uri does not return the hostname but it will include all the parameters in the URL. The irule won't work unless the URI is an exact match. Try to chuck the irule in smallest pieces and verify if the functionality separately.

0
Comment made 24-Jan-2018 by aboulleill 64

Dear Daniel,

find below logs :

Jan 24 16:05:24 F5-1 info tmm1[14061]: Rule /Middleware/rackspace : URI: /cvs/chn.website.cvs.Account_1.0?wsdl Jan 24 16:05:24 F5-1 info tmm1[14061]: Rule /Middleware/rackspace : IP: 192.168.100.201%10

Jan 24 16:07:09 F5-1 info tmm1[14061]: Rule /Middleware/rackspace : URI: /OmegaIntegration/proxy/BankMedOmegaIntegrationWS?wsdl Jan 24 16:07:09 F5-1 info tmm1[14061]: Rule /Middleware/rackspace : IP: 192.168.100.201%10

Best Regards, Ralph El Habr

0
Comment made 24-Jan-2018 by Daniel Varela 711

If you are using route domains then you have to add the route domain id at the end of the IP like:

[IP::client_addr] equals "192.168.100.201%10"

Can you test this?

1
Comment made 24-Jan-2018 by Lee Sutcliffe 2773

I would just change the logic to 'contains' to get around the route domain issue. Makes the iRule more portable for other VIPs in different route domains

eg

[IP::client_addr] contains "192.168.100.201"

2
Comment made 24-Jan-2018 by aboulleill 64

Thank you Daniel yes im using route domains and this was the problem. MrPlastic I used contains instead of % and its working now :)

thank you for your support.

0

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Updated to compensate for route domains

The event will have to be HTTP_REQUEST as you are reading the URI. You were almost there with your attempt, please try the following:

when HTTP_REQUEST { 
    if {[IP::client_addr] contains "192.168.100.201"}{ 
        if {[string tolower [HTTP::uri]] ne "/cvs/chn.website.cvs.account_1.0?wsdl"} { 
            reject
        } 
    } 
}
0
Comments on this Answer
Comment made 23-Jan-2018 by aboulleill 64

Dear Daniel ,

Yes exactly this is what i need . But i didnt get your point not equal is not the same as putting ! ?

0