Forum Discussion

Chenco_322726's avatar
Chenco_322726
Icon for Nimbostratus rankNimbostratus
Jun 13, 2017
Solved

restrict website to only specific ip addresses on same VS

Hello Friends , I have many domains on the same VS . and i am trying to restrict the access to to only specific ip addresses the problem is i found some irules on google but the problem is that i have many domains on the same VS so it blocks every domain on the vs.

 

any help will be appreciated

 

application delivery
ASM Advanced WAF
BIG-IP
security
  • Morten_Marstra1's avatar
    Morten_Marstra1
    Jun 13, 2017

    You could create a data group with the allowed ip addresses, and then reference them in an iRule, that only matches if the host header is :

    when HTTP_REQUEST {
    if { [HTTP::host] equals "www.example.com" } {

        Require client ip address to be present in datagroup (dg_example.com) for allowed source ip's
        if { ! [class match [IP::client_addr] eq dg_example.com] } {
            drop
            return
        }
    }

}

5 Replies

Sort By
  • Morten_Marstran's avatar
    Morten_Marstran
    Icon for Nimbostratus rankNimbostratus
    Jun 13, 2017

    You could create a data group with the allowed ip addresses, and then reference them in an iRule, that only matches if the host header is :

    when HTTP_REQUEST {
    if { [HTTP::host] equals "www.example.com" } {

        Require client ip address to be present in datagroup (dg_example.com) for allowed source ip's
        if { ! [class match [IP::client_addr] eq dg_example.com] } {
            drop
            return
        }
    }

}
    • Ed_Summers's avatar
      Ed_Summers
      Icon for Nimbostratus rankNimbostratus
      Jun 13, 2017

      Looks like you beat me to it. And I refreshed the page prior to posting to make sure I didn't come out a fool! ;)

       

  • Morten_Marstra1's avatar
    Morten_Marstra1
    Icon for Cirrus rankCirrus
    Jun 13, 2017

    You could create a data group with the allowed ip addresses, and then reference them in an iRule, that only matches if the host header is :

    when HTTP_REQUEST {
    if { [HTTP::host] equals "www.example.com" } {

        Require client ip address to be present in datagroup (dg_example.com) for allowed source ip's
        if { ! [class match [IP::client_addr] eq dg_example.com] } {
            drop
            return
        }
    }

}
    • Ed_Summers's avatar
      Ed_Summers
      Icon for Nimbostratus rankNimbostratus
      Jun 13, 2017

      Looks like you beat me to it. And I refreshed the page prior to posting to make sure I didn't come out a fool! ;)

       

  • Ed_Summers's avatar
    Ed_Summers
    Icon for Nimbostratus rankNimbostratus
    Jun 13, 2017

    Your question already provides a decent pseudo-code:

     

    If the request is for { if client_IP is not xxx { drop connection } }

     

    Following is a simple (untested) example. Create an internal data group of type IP called 'allowed_ip' and include all IP addresses that should be allowed to this host.

     

    This checks the Host header of the incoming connection to see if it matches ''. If yes, it checks the client IP address. If the address is NOT in the data-group, it drops the connection. If the address is in the data-group, the iRule takes no action (connection allowed).

     

    when HTTP_REQUEST {
    if { [string tolower [HTTP::host]] equals "www.example.com" } {
        if { ! [class match [IP::client_addr] eq allowed_ip] } {
            drop
        }
    }
}

    This may not be the most optimized solution but should meet the requirement. May not need the 'tolower', but it may be good just to ensure the test matches appropriately. You can replace drop with reject if you prefer an explicit reset.