deny access to certain URIs based on client source IP address and URI being accessed
I have been asked to deny access to a virtual server if ...
[1] the client is coming from a "non-private" (i.e. not RFC 1918) IP address
and
[2] the client is trying to access any one of three specific URIs.
Based on what I've read in other threads in this forum, this is what I've come up with ...
-=-=-=-=-=
----- data group list -----
INTERNAL_NETWORKS_class
network 10.0.0.0 / 255.0.0.0
network 172.16.0.0 / 255.240.0.0
network 192.168.0.0 / 255.255.0.0
----- irule -----
when HTTP_REQUEST {
if {not ([matchclass [IP::client_addr] equals $::INTERNAL_NETWORKS_class]) } {
switch [HTTP::uri] {
"blah-blah-blah" -
"system/yada-yada-yada?CONFIG=1&USERTYPE=1&other-stuff=true" -
"system/yada-yada-yada?CONFIG=1&USERTYPE=2&other-stuff=true" { drop }
}
}
}
-=-=-=-=-=
I haven't tried this yet but I am just wondering if this is the best approach?
Also, would I need a "catch-all" statement at the end? The behavior should be that, if there is no match, the traffic should flow unimpeded.
Any help will be greatly appreciated!
Thanks!