IP and HTTP Events iRule

Question

We have a new web app that we want to lock down to not only source IP address but also the web URI. Each customer has a different interface on the web app so we want to send requests to a different pool based on URI.  However, we do not want customer A gaining access to customer B's site, thus the source IP address lookup.
Below is what I tried to do on a first attempt.  Is there a way to do this when the client connects and not every HTTP request?
when HTTP_REQUEST {  
    if { [matchclass $::CustA_Source_IPs contains [IP::client_addr]] and [HTTP::uri] eq "/custa"  } {  
        pool CustomerA_Pool
    }
    elseif { [matchclass $::CustB_Source_IPs contains [IP::client_addr]] and [HTTP::uri] eq "/custb"  } {  
        pool CustomerB_Pool
    }   
    else {  
        drop  
    }  
}

richard__harlan · Answer

What I would look at doing is in the CLIENT_CONNECTED event have a data group with IP:clientID. When the IP is looked up the value returned is the clientID. Then in the HTTP_REQUEST you can turn the clientID that was returned in the CLIENT_CONNECTED to be the datagroup name for all the URI the client can connect to.&nbsp;
This will still require one look up per HTTP Request but it would cut down the IP lookup and make the iRule easier to maintain as all you would need to do is create one Data group per customer with the sane name as the clientID in the IP lookup. Just a thought.  &nbsp;

nitass · Answer

what version are you running? source address virtual server configuration is introduced in 11.3.0.  it may be useful.&nbsp;
sol14800: Order of precedence for virtual server matching (11.3.0 and later)&nbsp;
http://support.f5.com/kb/en-us/solutions/public/14000/800/sol14800.html&nbsp;
and starting from 9.4.4, $:: prefix is no longer required to reference class. class is now cmp compatible.&nbsp;
CMP Compatibility&nbsp;
https://devcentral.f5.com/wiki/iRules.cmpcompatibility.ashx&nbsp;

matt_breedlove_ · Answer

I did this awhile ago. Here is the best way to do this
Your prefix URI's below are /xl and /ce. The source IP list that secure each customers prefix URI's go into the acl datagroup objects as address type

when HTTP_REQUEST {
   switch -glob [URI::decode [string tolower [HTTP::uri]]] {
      /xl* { if { ([class match [IP::remote_addr] equals $::xl_acl]) } { return } }
      /ce* { if { ([class match [IP::remote_addr] equals $::ce_acl]) } { return } }

default {
         discard
      }
   }
}

Forum Discussion

IP and HTTP Events iRule

3 Replies

Recent Discussions

F5 Rseries HA

Error when running bigip_command Playbook against LTM : Syntax Error: unexpected argument /bin/sh\n

Can iRule be used to perform exception of IPI category based on Geolocation

Can iRule mask the payload content on event logs of security

minimum tmos software version for connect CIS (openshift)

Related Content

iRule Event Order Flowchart

How to make DNS resolutions in an HTTP request event work FOR you, not against you

iRule Event Order

Re: Getting Started with iRules: Events & Priorities

iRules Event Order