Forum Discussion

Brian_Kenworthy's avatar
Brian_Kenworthy
Icon for Nimbostratus rankNimbostratus
Oct 22, 2012

Allow Access to URL from Inside but Not From Internet

Hi All,

 

What is the best way to allow access to a URL from the inside network, but not from the public Internet? I have this irule, but when I apply it to the virtual server, all traffic is impacted. I'd like to be able to allow 10.16.0.0/16 to be able to access the URL, but everything from the Internet to be blocked.

 

when HTTP_REQUEST {

 

switch -glob [string tolower [HTTP::path]] {

 

"/proxyservice*" {

 

log local0. "[IP::client_addr]:[TCP::client_port]: Dropping request to [HTTP::uri]"

 

HTTP::respond 200 content "Forbidden

 

 

 

 

 

 

 

Website Error: Forbidden Your information has been logged.

 

"

 

}

 

default {

 

pool

 

}

 

}

 

}

 

Thanks in advance for your help!

 

Brian

 

4 Replies

  • Oops, here is the code 🙂

     

     

     
    when HTTP_REQUEST {
      switch -glob [string tolower [HTTP::path]] {
        "/proxyservice*" { 
          log local0. "[IP::client_addr]:[TCP::client_port]: Dropping request to [HTTP::uri]"
             HTTP::respond 200 content "Forbidden
            
            
            
            Website Error:  Forbidden
            Your information has been logged.
            "
        }
        default {
          pool www.domain.com_HTTP
        }
      }
    }
    
  • e.g.

    [root@ve10:Active] config  b virtual bar list
    virtual bar {
       snat automap
       pool foo
       destination 172.28.19.79:80
       ip protocol 6
       rules myrule
       profiles {
          http {}
          tcp {}
       }
    }
    [root@ve10:Active] config  b rule myrule list
    rule myrule {
       when HTTP_REQUEST {
       if { [HTTP::uri] starts_with "/proxyservice" } {
          if { not ([IP::addr [IP::client_addr] equals 10.16.0.0/16]) } {
             log local0. "[IP::client_addr]:[TCP::client_port]: Dropping request to [HTTP::uri]"
             HTTP::respond 200 content "Forbidden
            
            
            
            Website Error:  Forbidden
            Your information has been logged.
            "
          }
       }
    }
    }
    
    [root@ve10:Active] config  tail -f /var/log/ltm
    Oct 23 12:53:53 local/tmm info tmm[7926]: Rule myrule : 172.28.20.11:58988: Dropping request to /proxyservice/something
    
  • They don't seem to be popular but have you considered a packet filter? You won't be able to send a response to denied clients but in this case it would be far more efficient and minimise your exposure to DDoS attacks. Alternatively, if your internal and Internet clients connect via different VLANs, you could remove the VS from the 'public' VLAN.
  • Thanks for the info guys. The change to the iRule works as expected.

     

     

    It's funny, after I posted this up I did think of doing IP filtering which would be a little easier and more efficient to implement in this case.

     

     

    Thanks for the help!