Adding IP Filtering after pool selection and/or http redirect

Question

So I have a shared application URL VIP that I have configured.  Currently it is context based on ports 80/443.   So right now I am routing based on the URI of the request.  But now I have been tasked with adding security to a portion of that pathway and wide open down the other path.  So I am aware of how to do IP Filtering initially in iRules and use it routinely but not sure how to properly put filtering in after the pool has been selected.  I tried using a when LB_Selected but that failed.&nbsp;
&nbsp;Current Flow Requirements:
&nbsp;Path 1:  All traffic routed to http://sharedapps_VIP/qa/  or /b2b/qa
&nbsp;     A.  Redirect (in another iRule) to https://sharedapps_VIP/qa or b2b/qa 
&nbsp;     B.  The below rule then routes it to pool "sharedapps_1_qa_pool"
&nbsp;Path 2:  All traffic routed to http://sharedapps_VIP/sms/  or /b2b/services&nbsp;
     A.  Redirect (in another iRule) to https://sharedapps_VIP/sms/ or b2b/services &nbsp;
     B.  The below rule then routes it to pool "sharedapps_1_prod_pool"&nbsp;
Path 3:  All traffic routed to http://sharedapps_VIP/&nbsp;
     A.  Redirect (in another iRule) to https://sharedapps_VIP/&nbsp;
     B.  The below rule then routes it to pool "sharedapps_2_qa_pool"
&nbsp;     C.  Appends the weburi to end of request.&nbsp;
&nbsp;Current iRule:&nbsp;rule SharedApps_Web_Redirect {
&nbsp;   when HTTP_REQUEST {
&nbsp;    set host [HTTP::host]
&nbsp;    set uri [HTTP::uri]
&nbsp;   if { [HTTP::uri] starts_with "/qa"  or [HTTP::uri] starts_with "/b2b/qa/" } {
&nbsp;          log local0. "chosen pool is QA Pool"
&nbsp;          pool sharedapps_1_qa_pool
&nbsp;     } elseif { [HTTP::uri] starts_with "/sms"  or [HTTP::uri] starts_with "/b2b/services"  } {
&nbsp;          log local0. "chosen pool PROD Pool"
&nbsp;          pool  sharedapps_1_prod_pool
&nbsp;     } elseif { [HTTP::uri] equals "/" } {
&nbsp;      set weburi "/web/loginreg/loginStart.do"
&nbsp;         HTTP::redirect "https://$host$weburi"
&nbsp;          pool  sharedapps_2_Prod_Pool
&nbsp;     } else {
&nbsp;        pool sharedapps_2_Prod_Pool
&nbsp;      }
&nbsp;}
&nbsp;}&nbsp;&nbsp;
&nbsp;What is needed in new requirements:&nbsp;
&nbsp;Current Flow Requirements:
&nbsp;Path 1:  Restrict traffic routed to http://sharedapps_VIP/qa/  or /b2b/qa
&nbsp;     A.  Redirect (in another iRule) to https://sharedapps_VIP/qa or b2b/qa 
&nbsp;     B.  The below rule then routes it to pool "sharedapps_1_qa_pool"
&nbsp;Path 2:  Restrict traffic routed to http://sharedapps_VIP/sms/  or /b2b/services&nbsp;
     A.  Redirect (in another iRule) to https://sharedapps_VIP/sms/ or b2b/services &nbsp;
     B.  The below rule then routes it to pool "sharedapps_1_prod_pool"&nbsp;
Path 3:  All traffic routed to http://sharedapps_VIP/&nbsp;
     A.  Redirect (in another iRule) to https://sharedapps_VIP/&nbsp;
     B.  The below rule then routes it to pool "sharedapps_2_qa_pool"&nbsp;
     C.  Appends the weburi to end of request.&nbsp;&nbsp;
&nbsp;So you can see I am at an impasse and I have used Google and looked over devcentral.  I know it is something easy that I am missing but I thought I would reach out for some assistance.  If I left anything out I apologize and will provide it to assist in any help.&nbsp;
&nbsp;Thanks in Advance.&nbsp;

hooleylist · Answer

Hi Scott, 
&nbsp;  
&nbsp; I'm not sure I clearly understand your updated requirements.  What IP filtering logic do you want to implement?  Do you want to check the source IP address/subnet or the pool member IP address/subnet?  Under which case(s) do you want to perform this check? 
&nbsp;  
&nbsp; Also, your existing rule is issuing a redirect and selecting a pool for requests to /.  I think the redirect would take precedence over the pool selection.  You could remove which either action you don't need done in that scenario. 
&nbsp;  
&nbsp; Lastly, you might find a switch statement as a cleaner way to implement the URI checking.  Here is a link to the switch wiki page: 
&nbsp;  
&nbsp; http://devcentral.f5.com/wiki/default.aspx/iRules/switch 
&nbsp;  
&nbsp; Aaron

scottg_82592 · Answer

Thx Aaron, 
&nbsp;  
&nbsp; Basically I have to restrict traffic to sharedapps1 path but not restrict traffic to the sharedapps2 path.  So I have to allow all traffic to one but restrict all unauthorized traffic to the other.

hooleylist · Answer

When you say restrict, do you mean check the client IP to see if it's valid?  If so, you can use class match (v10) or matchclass (v9) to check the client IP against an IP address/subnet datagroup of whitelisted addresses.  You could send an HTTP response with HTTP::respond, reset the TCP connection with the reject command or drop any subsequent packets on the connection using drop.   
&nbsp;  
&nbsp; If that's not what you're aiming for, can you you clarify the scenario? 
&nbsp;  
&nbsp; Thanks, Aaron

Forum Discussion

Adding IP Filtering after pool selection and/or http redirect

3 Replies

Recent Discussions

Error when running bigip_command Playbook against LTM : Syntax Error: unexpected argument /bin/sh\n

Can iRule be used to perform exception of IPI category based on Geolocation

Can iRule mask the payload content on event logs of security

minimum tmos software version for connect CIS (openshift)

Chrome V 124+ on MacOS - Virtual Server Access Issue

Related Content

Anchor Link Redirect

BGP - filtering kernel redistribution

url redirect

Selective SNAT

ASM filtered HTML exceeded limit: event code C190 Filtered Response HTML exceeded max limit