Help With IRule to limit access via an address data group

If you don't specify a pool for any case in the iRule, the VIP's default pool will be used for requests you don't send a response to from the iRule.

 

 

There is a potential issue with trying to do security validation of URIs in an iRule though. See this post for details:

 

 

http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&tpage=1&view=topic&postid=30900

 

 

Aaron

Hoolio,

 

 

Thank You for the fast response. Can I just clarify what you are trying to say? I can leave a default pool on the Virtual server as well as the iRule? If I understand that correctly I am assuming that the F5 looks at the iRule first and the criteria is not met than it sends it to the default Pool. If the iRule criteria is met then the iRule would send back the 403 - Forbidden? Also, I looked at the post you pointed me too. Is that saying that I should use http::path instead of the http::uri command? Is this what you are suggesting:

 

 

 

when HTTP_REQUEST {

 

if { [HTTP::path] starts_with "/PAPayments/"} {

 

 

if { not [matchclass [IP::client_addr] equals $::good_IP} {

 

 

HTTP::respond 403 content "403 - Forbidden" }

 

 

}

 

}

 

Sorry Hoolio I copied an old version of my iRule above. Is this what you are suggesting I should do:

 

 

when HTTP_REQUEST {

 

if { [HTTP::path] starts_with "/Foo/"} {

 

 

if { not [matchclass [IP::client_addr] equals $::Foo_IPs] } {

 

 

HTTP::respond 403 content "403 - Forbidden" }

 

 

}

 

}

That should work to send all traffic you don't send an HTTP response to from the iRule to the VIP's default pool.

 

 

But the problem with that is that an attacker could obfuscate their request for /Foo/ using several directory traversal or encoding methods. Check the post I linked to in my first reply for details on that.

 

 

Aaron

Aaron,

 

 

I just implemented this rule, but it does not seem to be working. I added it to a virtual server using port 443 with a SSL Client Profile (self signed cert). There is also a port 80 redirect rule (redirecting traffic to 443) for the same VIP. The back end servers are listing on port 7785. Should any of these factors contribute to the rule not working properly? As I understand it the LTM unencrypts the traffic, tries to match it against an iRule and then sends it to the default pool if there is no match on the iRule. is this correct? Any suggestions to get this working?

 

 

Thanks in advance

 

Tom

Hi Tom,

That's correct. What are the symptoms of the problem? Can you add logging to the iRule to see what's happening?

 
 when HTTP_REQUEST { 
  
    log local0. "[IP::client_addr]:[TCP::client_port]: [HTTP::method] to [HTTP::host][HTTP::uri]" 
  
    if { [HTTP::path] starts_with "/foo/"} { 
  
       log local0. "[IP::client_addr]:[TCP::client_port]: Matched path check" 
  
       if { not [matchclass [IP::client_addr] equals $::foo_IP]} { 
  
          log local0. "[IP::client_addr]:[TCP::client_port]: Blocking request" 
          HTTP::respond 403 content "403 - Forbidden" 
       } 
    } 
 }  
 

Aaron

Aaron,

 

 

I took the code you pasted above and used it and the rule is working properly? I am not sure what is different between yours and mine? All I can think of is that maybe I missed a bracket somewhere? Anyways, it seems to be to be doing what I need it to do. Thank you for your help!

 

 

Tom