Forum Discussion

zahid_113975's avatar
zahid_113975
Icon for Nimbostratus rankNimbostratus
Sep 23, 2013

Based on the 2 specific string in the URL allow , then restrict ony few incoming IP addresses.

Thank you in advance for help with this. I need to allow / restrict access to the application for the situation where same VIP will be hit for the following two cases:

 

Use case 1) ogw/web context Users -- > VIP x.x.x.x (F5) -- >If the context of the application is: https://int.entservices.com/abc_services/ogw/web/**** , F5 should allow all the request (no IP restriction).

 

Use case 2) For EMFBus context root, the request should be restricted based on IPs. Users -- > VIP x.x.x.x (F5) -- >If the context of the application is: https://int.entservices.com/abc_services/EMFBus/**** , F5 should allow the request based on the allowed IPs only. Here is the list of IPs Allow from 204.14.232.0/23 For East Coast Data Center (set one) Allow from 204.14.238.0/23 For West Coast Data Center (set two) Allow from 96.43.144.64/31 For Email service Allow from 96.43.148.64/31 For Email service + dozen more

 

Will it be one iRule or combication of more then one iRules ?

 

Thanks, Zahid.

 

application delivery
deployment
devops
iRules

5 Replies

Sort By
  • JPV_131616's avatar
    JPV_131616
    Icon for Cirrus rankCirrus
    Sep 24, 2013

    simple solution...

     

    create a single irule which checks the context [HTTP::uri] == "/abc" or "/123" (app uri, e.g. /abc, or /123) for each case.

     

    for case1 where no IP restriction is required, just route to pool for that app.

     

    for case2, put the retricted src_ips in a datagroup, then after checking for that uri in http request, check for the src_ip via datagroup, if not there, reject, otherwise route to pool for that app.

     

    I can provide an example irule if required, let me know.

     

    thx

     

  • zahid_113975's avatar
    zahid_113975
    Icon for Nimbostratus rankNimbostratus
    Sep 24, 2013

    Thank youfor that much appreciated. Yes please an example would be nice. that is where I was struggling.

     

    Thanks.

     

  • JPV_131616's avatar
    JPV_131616
    Icon for Cirrus rankCirrus
    Sep 24, 2013

    first create datagroup with whatever name you want (e.g. APPNAME_ALLOWED_IP) - add the src ips you want in the list to be allowed to access app2 uri.

    when HTTP_REQUEST {
  if {$uri starts_with "/wideopenapp" } {
    pool wideopenapp_pool
  }
  if { $uri starts_with "/restrictedapp" } {
    if { [class match [IP::remote_addr] equals APPNAME_ALLOWED_IP] }{
      pool appname_pool_restricted

    }

}
   else does nada
}

}

}
  • bwolmarans_1284's avatar
    bwolmarans_1284
    Historic F5 Account
    Sep 24, 2013
    when HTTP_REQUEST {

  set HOST_NAME "webserver.local"
  set NO_IP_RESTRICTION_PATH "/app1"
  set IP_RESTRICTED_PATH "/app2"
  set DEBUG 1

  if { $DEBUG } { log local0. "DEBUG: [HTTP::host] [HTTP::path] [IP::client_addr]" }    
  if { [HTTP::host] == $HOST_NAME } {
    if { ! ([HTTP::path] starts_with $NO_IP_RESTRICTION_PATH) } {
      if { [HTTP::path] starts_with $IP_RESTRICTED_PATH } {
        set clientip [IP::client_addr]
        if { ! ([class match $clientip equals FOX_SALESFORCE_SUBNETS]) } {
          reject
        }         
      }
    }              
  }
}
    • bwolmarans_1284's avatar
      bwolmarans_1284
      Historic F5 Account
      Sep 24, 2013
      I was working on this while JPV was posting - I'm too slow :-) In my version I tried to simplify it as best I could, and it is one iRule that does both fuctions. I Ran a little bit of testing and it seems to work. Please give it a test.