Forum Discussion

haxzorian_35595's avatar
haxzorian_35595
Icon for Nimbostratus rankNimbostratus
Apr 01, 2017

Blocking admin uri via IP address and keyword?

Hello All,

Is there a proper way to block access to admin URIs using a a keyword and IP address? Such as, if the request comes from 192.168.0.0/16 space and contains /platform/* allow the connection. If those two things don't match, drop the request?

I've used this from CodeShare, however, it doesn't look for the IP address variable.

when HTTP_REQUEST {
switch -glob [string tolower [HTTP::uri]] {
    "/platform/*" { reject }
    default { return }
    }
}

So it just blocks my Web Admins from being able to use the console for edits. All in all, i'm looking for some direction to employ best practices in doing something like this.

Thank you in advance!

BIG-IP
iRules
security

2 Replies

Sort By
  • Snl's avatar
    Snl
    Icon for Cirrostratus rankCirrostratus
    Apr 02, 2017

    Try below

     

    1)Created Data group list as allowed-host and added the IP 192.168.0.0/16

     

    2) created below irule and called the data group list allowed-host

     

    Code/

 when HTTP_REQUEST {

if { ( [string tolower [HTTP::uri]]  contains "/platform/*" ) } {

    if { not ( [class match [IP::client_addr] equals allowed-host] ) } {

        reject
    }           
}       }
  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Apr 04, 2017

    Hi haxzorian,

    to make your black-list more robust and to include the required IP exemptions, you may take a look to the iRule samples below.

    Example1: Using a matching condition which isn't prone to escaping sequences

    when HTTP_REQUEST {
    if {     ( [string tolower [HTTP::path]] stats_with "/platform" ) 
     and not ( [class match [IP::client_addr] equals allowed-host] ) } then {
         Reject the request
        reject      
    } else {
         Allow the request
    }
}

    Example2: Utilizing a 

    [URI::decode]
    command to unescape possible URI escape sequences.

    when HTTP_REQUEST {
    if {     ( [URI::decode [string tolower [HTTP::path]]] stats_with "/platform/" ) 
     and not ( [class match [IP::client_addr] equals DG_Allowed_IPs] ) } then {
         Reject the request
        reject      
    } else {
         Allow the request
    }
}

    Note: Both examples should work stable even if a bad guy requests a URL like https://www.yoursite.de/platform

    %2F
    somefolder/somepage.php

    Cheers, Kai