URI access restricted to ip subnet

Question

hi people, 
&nbsp; I have F5 running version 9.4.7 , I try to implement iRule in order to limit access to defined URI only to internal subnet, but i'm unable to obtain the correct result, the URI is allowed or denied without care on ip class and subnet defined. 
&nbsp; Anyone can check my iRule syntax, and/or give me suggestion? 
&nbsp;  
&nbsp; Thanks in advance! 
&nbsp;  
&nbsp; the following is my iRule script: 
&nbsp;  
&nbsp; when HTTP_REQUEST {       if { [HTTP::uri] starts_with "/cms/" }{              if {not [matchclass [IP::client_addr] equals $::Agusta_internal]} {              log local0. "[IP::client_addr]:[TCP::local_port]: Matched IP check. Discarding request to [HTTP::uri]"             drop          }        }  }   
&nbsp;  
&nbsp;

hooleylist · Answer

Hi Andrea, 
&nbsp;  
&nbsp; That syntax is okay, but wouldn't handle an attacker who makes a request for /nonexistent_directory/../cms/.  See this post for details: 
&nbsp;  
&nbsp; Irule for restriciting URL paths unsecure  
&nbsp; http://devcentral.f5.com/Default.aspx?tabid=53&amp;forumid=5&amp;tpage=1&amp;view=topic&amp;postid=30900  
&nbsp;  
&nbsp; Aaron

hooleylist · Answer

Is the datagroup defined as a type 'address'?  Can you add more logging to the iRule and retest?

when HTTP_REQUEST { 
  
    log local0. "[IP::client_addr]:[TCP::local_port]: New [HTTP::method] request to [HTTP::host][HTTP::uri]" 
  
    if { [HTTP::uri] starts_with "/cms/" }{ 
  
       log local0. "[IP::client_addr]:[TCP::local_port]: Matched URI check.  Class contents: $::Agusta_internal" 
  
       if {not [matchclass [IP::client_addr] equals $::Agusta_internal]} { 
  
          log local0. "[IP::client_addr]:[TCP::local_port]: Matched IP check. Discarding request to [HTTP::uri]" 
          drop 
       } 
    } 
 }

Aaron

andrea_361 · Answer

Yes, is defined as address, tomorrow I'll be able to retest and give more info. 
&nbsp; I'll keep you informed. 
&nbsp;  
&nbsp; Thanks to all!

hooleylist · Answer

Can you test this on a test VIP so it doesn't affect any live traffic?  If so, can you add the iRule example I posted above and reply with the output from /var/log/ltm? 
&nbsp;  
&nbsp; Thanks, 
&nbsp; Aaron

Forum Discussion

URI access restricted to ip subnet

4 Replies

Recent Discussions

F5Access | MacOS Sonoma

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

F5 loadbalancer not working

Related Content

Restricting Access to Virtual from client IP address in X-Forwarder-For HTTP header

SSL Orchestrator Advanced Use Cases: Enabling GCloud Organization Restrictions

Restricting access to a virtual server by Public IP address should access through only domain name.

Federated AWS Console Access Made Easy: F5 BIG-IP Access Policy Manager Access Guided Configurations

Restricting direct access from public IP