Access Control Based On IP for specific URL

I am pretty new to irules so any help here would be appeciated. The irule below is the deafult irule for Access control based on IP from the codeshare area. Is it possible to alter this so that it controls access for a specific URL under the virtual server rather than the whole virtual server? ie. http://www.joeblogs.com/restricted/

when RULE_INIT {

v1.0 - basic ACL.

October, 2007

Tested on BigIP version 9.4.

Purpose:

Bind this rule to a network virtual server to simply allow or disallow traffic based on source IP.

This rule expects a datagroup named trustedAddresses that lists the addresses you wish to allow.

By default, traffic will be dropped.

}

when CLIENT_ACCEPTED {

if { [matchclass [IP::client_addr] equals $::trustedAddresses] }{

Uncomment the line below to turn on logging.

log local0. "Valid client IP: [IP::client_addr] - forwarding traffic"

forward

} else {

Uncomment the line below to turn on logging.

log local0. "Invalid client IP: [IP::client_addr] - discarding"

discard

}

24 Replies

Andy_Herrman_22
Nimbostratus
Jun 26, 2008
You could create another class that contains the URLs that you want to control access to, and then have the IF check the HTTP::uri against that class (similar to the check of the client addr against the trusted addresses) first. If that matches then check the client addr against the trusted list.
jondyke_46152
Nimbostratus
Jun 27, 2008
Forgive my ignorance here but I am an irule virgin - would it look something like this?

I assume I would need to create datagroups for trustedaddresses and securedvirtualdirectories? What would these look like? I am guessing the trustedaddresses dsatagroup would be an address type group and the securedvirtualdirectories would need to be some sort of string?

}

when CLIENT_ACCEPTED {

if { [matchclass [IP::client_addr] equals $::trustedAddresses] }

{ [matchclass [HTTP::uri] equals $::securedvirtualdirectories]}{

Uncomment the line below to turn on logging.

log local0. "Valid client IP: [IP::client_addr] - forwarding traffic"

forward

} else {

Uncomment the line below to turn on logging.

log local0. "Invalid client IP: [IP::client_addr] - discarding"

discard

}

}
jondyke_46152
Nimbostratus
Jun 30, 2008
Thanks

I have copied the text into an irule and created an address datagroup called trustedAddresses (and added the allowed IP)

Do I then need to create another datagroup for securedpaths? If so how do I do this with the code you supplied?
jondyke_46152
Nimbostratus
Jun 30, 2008
Ok - i tried the rule above and created an address datagroup and string datagroup with the securepath info. Seems to scre up my site.... are we missing the foward bit of the rule?
Andy_Herrman_22
Nimbostratus
Jun 30, 2008
I don't believe the 'forward' command is necessary. If you don't reject it then the F5 should process it normally.

It looks like you have the rule backwards. I think you're discarding when you want to allow, and allowing when you want to discard.

The IF statement will trigger if someone who is NOT authorized tries to access the secure path. In this case you want to reject them. The ELSE case will hit whenever the user is authorized OR they are trying to access a non-secure part of the site.

The iRule I suggested didn't have the ELSE part there, so the rule you have is doing the opposite of the one I wrote. Try switching back to the one I had and see if it works.
jondyke_46152
Nimbostratus
Jun 30, 2008
When I tried the irule that you have written above it seems to break my site (no page displayed) at the default level which is a bit odd.

Andy_Herrman_22

Nimbostratus

Jun 30, 2008

Can you try using this iRule and do a couple tests, then post the log messages you get? I added some logging and put the 'forward' command in, just in case I was wrong and it is needed.

  
  when HTTP_REQUEST {    
    
    if { ( [matchclass [HTTP::uri] starts_with $::securePaths] ) and  
         ! ( [matchclass [IP::client_addr] equals $::trustedAddresses] ) }  
    {  
      log local0. "Untrusted IP ([IP::client_addr]) attempting to access secure path ([HTTP::uri])"  
      discard  
    } else {  
      log local0. "Allowing connection from [IP::client_addr] to [HTTP::uri]"  
      forward  
    }  
  }

Andy_Herrman_22
Nimbostratus
Jun 30, 2008
Oh, and a quick suggestion. When posting your iRule code, use a code block to help keep the formatting.

[ code ]

CODE GOES HERE

[ /code ]

(remove the spaces from the tags. I had to put them there to get them to actually appear in the message instead of creating an actual code block)
jondyke_46152
Nimbostratus
Jun 30, 2008
The following message is in the log:-

TCL error: irule_restrictedbyIP HTTP_REQUEST - cant read ::securePaths: no such variable while executing matchclass [HTTP::uri] starts_with $::securePaths
Andy_Herrman_22
Nimbostratus
Jun 30, 2008
Sounds like the datagroup/class for the secure paths isn't defined. Does that error happen when using your own iRule code?

Forum Discussion

Access Control Based On IP for specific URL

24 Replies

Recent Discussions

BIG-IP DNS: Check Status Of Multiple Monitors Against Pool Member

Open Redirection Mitigation

F5Access | MacOS Sonoma

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

Related Content

API Security: How to implement API Access Control with F5

JWT authorization with NGINX Ingress Controller

Distributed caching of authentication requests with NGINX Ingress Controller

Federated AWS Console Access Made Easy: F5 BIG-IP Access Policy Manager Access Guided Configurations

Egress control for Kubernetes using F5 Distributed Cloud Services