redirect if hosts are on the external segment

I am trying to write the iRules to achieve these: * If users are on the trusted network segment, they can view and edit the page http://www.mycompany.com/ and any URI after www.mycompany.com * If users are on the un-trusted network segment and they are trying to access http://www.mycompany.com/user, they are redirected to http://www.mycompany.com/ * If users are on the un-trusted segment and they are trying to access http://www.mycompany.com/department1/user, or http://www.mycompany.com/department2 and so on, they are redirected to http://www.mycompany.com/department1, http://www.mycompany.com/department2, etc... respectively

Here is my iRules: when HTTP_REQUEST { if {[IP::addr [IP::client_addr] equals 10.10.10.5/32] or [IP::addr [IP::client_addr] equals 192.168.100.0/24]} { log local0. "First IF" pool seattle-only } elseif {([HTTP::uri] starts_with "/user")} { log local0. "First Elseif" HTTP::redirect "http://[HTTP::host]" } elseif {([HTTP::uri] starts_with "/*/user")} { log local0. "SECOND ElseIf" set new-uri [getfield [HTTP::uri] "/" 2] log local0. "2nd elseif $new-uri" HTTP::redirect "http://[HTTP::host]/$new-uri" } else { pool seattle-only log local0. "LAST ELSE [HTTP::uri]" } }

I tested it and when I am on the untrusted network segment and trying to access http://www.mycompany.com/department1/user, I can still go straight to the http://www.mycompany.com/department1/user, my iRules does not redirect me to the http://www.mycompany.com/department1. So I think the statement ([HTTP::uri] starts_with "/*/user") does not work. But I am not sure why and how to fix it.

Do you have any suggestions?

Thanks,

12 Replies

What_Lies_Bene1
Cirrostratus
Jun 05, 2014
Try
[HTTP::uri] ends_with "/user"

nitass

Employee

Jun 05, 2014

e.g.

 config

[root@ve11a:Active:In Sync] config  tmsh list ltm rule qux
ltm rule qux {
    when HTTP_REQUEST {
  if { [IP::addr [IP::client_addr] equals 10.10.10.5/32] or [IP::addr [IP::client_addr] equals 192.168.100.0/24] } {
     trusted network segment
    pool seattle-only
    return
  }

   un-trusted network segment
  switch -glob [string tolower [HTTP::path]] {
    "/user*" { HTTP::redirect "http://[HTTP::host]" }
    "/department1/user*" { HTTP::redirect "http://[HTTP::host]/department1" }
    "/department2*" { HTTP::redirect "http://[HTTP::host]/department2" }
    default {
      pool seattle-only
    }
  }
}
}

 test

[root@ve11a:Active:In Sync] config  curl -I http://172.28.24.10/user/something -H "Host: www.mycompany.com"
HTTP/1.0 302 Found
Location: http://www.mycompany.com
Server: BigIP
Connection: Keep-Alive
Content-Length: 0

HTTP/1.0 302 Found:In Sync] config  curl -I http://172.28.24.10/department1/user/something -H "Host: www.mycompany.com"
Location: http://www.mycompany.com/department1
Server: BigIP
Connection: Keep-Alive
Content-Length: 0

[root@ve11a:Active:In Sync] config  curl -I http://172.28.24.10/department2/something -H "Host: www.mycompany.com"
HTTP/1.0 302 Found
Location: http://www.mycompany.com/department2
Server: BigIP
Connection: Keep-Alive
Content-Length: 0

tran_93981
Nimbostratus
Jun 05, 2014
Thanks for the reply. I can not use [HTTP::uri] ends_with "/user" because user can enter additional URI after the "/user"
tran_93981
Nimbostratus
Jun 05, 2014
Thanks very much Nitass. I did not see your post. Now I do. I will try your suggestions and update this.
tran_93981
Nimbostratus
Jun 09, 2014
There are many departments: department1, department2, department3, etc... and I don't know what they are or will be. So I like the the "department1/user" or "department2/user" to be the "/user" but I am not sure how to insert the department wildcard in the http redirect (HTTP::redirect "http://[HTTP::host]/).

I am trying with "getfield". I modified the iRules to be like these: when HTTP_REQUEST { if the request is from the trusted network segments if {[IP::addr [IP::client_addr] equals 10.10.10.5/32] or [IP::addr [IP::client_addr] equals 192.168.100.0/24]} { log local0. "First IF" pool seattle-only return } if the request is from untrusted network segment switch -glob [string tolower [HTTP::uri]] { "/user" { HTTP::redirect "http://[HTTP::host]" } "/*/user" { set new-uri [getfield [HTTP::uri] "/" 2 HTTP::redirect "http://[HTTP::host]/$new-uri" } default { pool seattle-only } } }

but unsuccessful
tran_93981
Nimbostratus
Jun 09, 2014
I checked my recent post and somehow the wildcard asterisk () are disappeared in the "user" and "(HTTP::redirect "http://[HTTP::host]/)" They are supposed to be "/user" and "(HTTP::redirect "http://[HTTP::host]/*)"
Steve_M__153836
Nimbostratus
Jun 09, 2014
If you want to keep trying with filtering on the "/user" you could try using "contains". I have had success with that. However it is a bit more open-ended so it will take it if it is anywhere in the URI.

when HTTP_REQUEST { if {([HTTP::uri] contains "/user") }{ HTTP::Redirect yourdestinationhere }}
tran_93981
Nimbostratus
Jun 09, 2014
I am trying to match the "department1", "department2", etc... right after the [HTTP::host] with the wildcard, the asterisk (*) but I am struggling.
- Steve_M__153836
  Nimbostratus
  Jun 10, 2014
  I think you might just have to use a variable pointing to a data group and populate that data group with what departments/names that might be used. It seems that maybe there are two many variables to do this in a straight-forward iRule.
What_Lies_Bene1
Cirrostratus
Jun 10, 2014
You can't use a wildcard in a redirect. What do you want to do exactly?

tran_93981

Nimbostratus

Jun 10, 2014

I want to do:

if a user is on the trusted network segment, the user can access www.company.com and any URI after that
if a user is on the untrusted network segment, the user can access www.company.com
if a user is on the untrusted network segment and the user is trying to access to www.company.com/user then he will be redirected to www.company.com
if a user is on the untrusted network segment and the user is trying to access to www.company.com/xyz/user, the user will be redirected to www.company.com/xyz

After reading Nitass's answer and looking up more on devcentral, I have the iRule code to achieve those and it seems to work:

when HTTP_REQUEST {
 if the request is from the trusted network segments
if {[IP::addr [IP::client_addr] equals 10.10.10.3/32] or [IP::addr [IP::client_addr] equals 10.55.88.0/24]} {
    log local0. "First IF"
            pool seattle-only
    return
}
 if the request is from untrusted network segment
switch -glob [string tolower [HTTP::path]] {
    "/user" { 
        log local0. "1st SWITCH PATH:[HTTP::path] URI:[HTTP::uri]"
        HTTP::redirect "http://[HTTP::host]" 
        }
    "/*/user" {
        set new_uri [getfield [HTTP::uri] "/" 2]
        log local0. "WILD CARD SWITCH PATH:[HTTP::path] URI:[HTTP::uri] NEW_URI: $new_uri"
        HTTP::redirect "http://[HTTP::host]/$new_uri"
        }
    default {
        log local0. "DEFAULT: PATH:[HTTP::path] URI:[HTTP::uri]"
        pool seattle-only
    }
}

}

Thanks,

What_Lies_Bene1
Cirrostratus
Jun 11, 2014
OK, brilliant, job done! Cheers

Forum Discussion

redirect if hosts are on the external segment

12 Replies

Recent Discussions

import live updates from version x to version y

Tenant image upgrade

iRule editor partition button does not work

F5Access | MacOS Sonoma

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Related Content

Network segmentation in an AWS VPC

Redirecting to an external site when the internal site is down

CSV to Address External Datagroup File

Anchor Link Redirect

snmp-check external monitor