Forum Discussion

julienmo_44816's avatar
julienmo_44816
Icon for Nimbostratus rankNimbostratus
Feb 16, 2012

URI ACL based on source ip address

Hi every body, I'am a long time reader and a first time poster :)

 

 

Can someone help me with creating a rule that can filter URI access based on IP address.

 

 

Something like

 

 

 

userIP1 can access /userDIR1

 

userIP2 can access /userDIR2

 

userIP3 can access /userDIR3

 

anyIP can access /publicDIR

 

default drop

 

 

 

 

I'am inspired by this solution :

 

 

 

http://devcentral.f5.com/Community/...fault.aspx

 

 

 

But I would like to normalised the Irule for using it whith some virtual server, and use a file :

 

 

 

I would like to build a Datagroup file like :

 

 

 

 

 

user_IP1:=USER_DIR1

 

user_IP1:=USER_DIR2

 

user_IP1:=USER_DIR3

 

user_IP2:=USER_DIR1

 

user_IP2:=USER_DIR2

 

user_IP10:=USER_DIR10 ==> There may have same IP for some URIs and same URI for some IPs

 

 

 

 

 

This file will be pushed by a server with ssh protocol. There will be a lot of entry...

 

 

 

But I don't have any idea to use this fille (build array ?, use loop foreach) ? Do you have some bigening of solution ?

 

 

 

Do you have other solution that wich I propose ?

 

 

 

Thanks a lot !

 

3 Replies

  • Hi,

    After a day of working with my colleague :

    when HTTP_REQUEST {
    
    set permit "IMPLICIT DENY"
    
    set uri_origine [HTTP::uri]
    set ip_origine [IP::client_addr]
    
    set id [class startsearch Datagrp_uri_acl_allow]
    set id2 [class startsearch Datagrp_uri_acl_deny]
    
    EXPLICIT DENY TRAFIC
    while { [class anymore Datagrp_uri_acl_deny $id2] } {
    
    set y [class nextelement Datagrp_uri_acl_deny $id2]
    set ip_deny [lindex $y 0]
    set uri_deny [lindex $y 1]
    
    if { [IP::addr $ip_origine equals $ip_deny] and $uri_origine matches_regex $uri_deny }
    {
    set permit "DENY EXPLICIT RULE"
    }
    
    }
    
    ALLOWED TRAFFIC
    if { $permit == "IMPLICIT DENY" }
    {
    while { [class anymore Datagrp_uri_acl_allow $id] } {
    
    set x [class nextelement Datagrp_uri_acl_allow $id]
    set ip_allow [lindex $x 0]
    set uri_allow [lindex $x 1]
    if { [IP::addr $ip_origine equals $ip_allow] and $uri_origine matches_regex $uri_allow }
    {
    set permit "ALLOW RULE" 
     log local0.info "Allowed client [IP::remote_addr]:[TCP::client_port] requesting: http(s)://[HTTP::host][HTTP::path] ($permit)"
    }
    
    }
    }
    
    IMPLICIT DENY OR MATCH EXPLICIT DENY TRAFIC
    if { $permit equals "IMPLICIT DENY" or $permit equals "DENY EXPLICIT RULE" }
    {
    HTTP::respond 403 content "Forbiden Access\
    Forbiden AccessYour are not allowed to access to [HTTP::uri] "
    
    log local0.info "Denied Access client [IP::remote_addr]:[TCP::client_port] requesting: https(s)://[HTTP::host][HTTP::path] ($permit)"
    }
    } 
  • i think another problem is about how to reload external data group after file has been updated.

     

     

    as far as i know, it can be done using icontrol.

     

     

    Forcing a reload of External Data Groups within an iRule by Joe

     

    http://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/33/Forcing-a-reload-of-External-Data-Groups-within-an-iRule.aspx

     

     

    the other idea coming to my mind is to use sideband connection to retrieve data instead of data group. i think it should look like what George does in article below.

     

     

    Populating Tables With CSV Data Via Sideband Connections by George

     

    http://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/1088515/Populating-Tables-With-CSV-Data-Via-Sideband-Connections.aspx
  • For reloading file with ssh, I use those commande :

     

     

    tmsh modify /ltm data-group Datagrp_uri_acl_allow external-file-name /var/class/uri_acl_allow-list

     

    tmsh modify /ltm data-group Datagrp_uri_acl_deny external-file-name /var/class/uri_acl_deny-list

     

    tmsh save /sys config