Forum Discussion

jimmasters_1227's avatar
jimmasters_1227
Icon for Nimbostratus rankNimbostratus
Apr 08, 2013

Blocking access to certain URI except from IP Address

Hi All,

 

 

I am trying to block access to the admin sections of my website, unless the request comes from one of my public IP addresses.

 

 

The rule I tried to implement looks like this:

 

 

 

when HTTP_REQUEST {

 

if { [HTTP::host] equals "www.mywebsite.com.au" and [HTTP::uri] equals "/provider/faces/provider.jspx" or "/faces/admin.jspx" or "/reporting/BOE/BI" and !([matchclass [IP::remote_addr] equals $::MyPublicAddressPool ]) } {

 

reject

 

}

 

else {

 

return

 

}

 

}

 

 

 

It is based on another example I saw in the forums. The trouble is, when I implement this iRule, it ends up blocking all traffic to my website, rather than just the admin URI listed above.

 

 

Could someone point me to where I am going wrong? I don't think I'm that far. off.

 

 

 

 

Thanks in advance.

 

application delivery
dev
devops
iRules

4 Replies

Sort By
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Apr 09, 2013
    I think the problem is in the grouping. Try this: 

    
when HTTP_REQUEST {
if { ( [HTTP::host] equals "www.mywebsite.com.au" ) and ( ( [string tolower [HTTP::uri]] equals "/provider/faces/provider.jspx" ) or ( [string tolower [HTTP::uri]] equals "/faces/admin.jspx" ) or ( [string tolower [HTTP::uri]] equals "/reporting/BOE/BI" ) ) and not ( [matchclass [IP::remote_addr] equals $::MyPublicAddressPool ] ) } {
reject
}
}
  • jimmasters_1227's avatar
    jimmasters_1227
    Icon for Nimbostratus rankNimbostratus
    Apr 12, 2013
    I got it working using a HTTP::respond statement. The reject statement was causing problems and was blocking all traffic instead of just the Admin URI. I also removed the URL section from the beginning as this iRule is only applied to a single VIP.

     

     

    when HTTP_REQUEST {

     

    if { ( ( [string tolower [HTTP::uri]] equals "/provider/faces/provider.jspx" ) or ( [string tolower [HTTP::uri]] equals "/faces/admin.jspx" ) or ( [string tolower [HTTP::uri]] equals "/reporting/BOE/BI" ) ) and not( [matchclass [IP::remote_addr] equals $::MyIPAddressRange ] ) } {

     

    HTTP::respond 200 content "URL Denied"

     

    return

     

    }

     

    }
  • Jnon's avatar
    Jnon
    Icon for Nimbostratus rankNimbostratus
    Apr 12, 2013
    Are you on 9x code? if your on 10.x or greater you need to change the matchclass out for class match and remove $:: to take advantage of CMP