Forum Discussion
14 Replies
- Lee_SutcliffeNacreous
Updated to compensate for route domains
The event will have to be HTTP_REQUEST as you are reading the URI. You were almost there with your attempt, please try the following:
when HTTP_REQUEST { if {[IP::client_addr] contains "192.168.100.201"}{ if {[string tolower [HTTP::uri]] ne "/cvs/chn.website.cvs.account_1.0?wsdl"} { reject } } }
- Daniel_VarelaEmployee
irules don't use semicolon. I think this is more what you want to do:
when HTTP_REQUEST { if { ([HTTP::uri] ne "/test") and ([IP::client_addr] equals "192.168.1.1" ) } { reject } }
HTTP::uri will return just the uri without the hostname.
- aboulleill_3013Nimbostratus
Dears,
I just applied this on live environment :
when HTTP_REQUEST { if {!([HTTP::uri] equals "/cvs/chn.website.cvs.Account_1.0?wsdl") and ([IP::client_addr] equals "192.168.100.201")} { reject }
but 192.168.100.201 is still able to access everything. the urls in question are https://
- Daniel_VarelaEmployee
You are blocking all the URLs except "/cvs/chn.website.cvs.Account_1.0?wsdl" to that IP. Adjust the first comparison to get what you expect. I think in your case is [HTTP::uri] ne "/cvs/chn.website.cvs.Account_1.0?wsdl"
Hi aboulleill,
Could you please try to use this irule?
when HTTP_REQUEST { if {[IP::client_addr] equals "192.168.100.201" }{ if {[string tolower [HTTP::uri]] equals "/cvs/chn.website.cvs.account_1.0?wsdl" } { drop } } }
- aboulleill_3013Nimbostratus
Dears,
I'm trying to block all URLs except "/cvs/chn.website.cvs.Account_1.0?wsdl" to source IP address 192.168.100.201.But until now 192.168.100.201 is still able to access other URLs like if the irule doesn't exists (trying below two irules codes):
https://prodfmw-osb.bm.com.lb/OmegaIntegration/proxy/BankMedOmegaIntegrationWS?wsdl (still opening not a normal behavior)
https://prodfmw-osb.bm.com.lb/cvs/chn.website.cvs.Account_1.0?wsdl (still opening its normal)
when HTTP_REQUEST { if {[IP::client_addr] equals "192.168.100.201" }{ if {[string tolower [HTTP::uri]] ne "/cvs/chn.website.cvs.account_1.0?wsdl" } { drop } } }
when HTTP_REQUEST { if { ([HTTP::uri] ne "prodfmw-osb.bm.com.lb/cvs/chn.website.cvs.Account_1.0?wsdl") and ([IP::client_addr] equals "192.168.100.201")} { reject } }
You should use the "not" only for the beginning of the if sentece
when HTTP_REQUEST { if {[IP::client_addr] equals "192.168.100.201" }{ if {not ([string tolower [HTTP::uri]] equals "/cvs/chn.website.cvs.account_1.0?wsdl") } { drop } } }
- Daniel_VarelaEmployee
Add some debugging to your irule as well:
when HTTP_REQUEST { log local0. "URI: [HTTP::uri]" log local0. "IP: [IP::client_addr]" if { ([HTTP::uri] ne "prodfmw-osb.bm.com.lb/cvs/chn.website.cvs.Account_1.0?wsdl") and ([IP::client_addr] equals "192.168.100.201")} { reject } }
The URI you have in the log have to be the same you have in your if.
- aboulleill_3013Nimbostratus
Dears,
Still not working...
Best Regards, Ralph El Haber
- Daniel_VarelaEmployee
Hi Ralph, Please add debugging and post it here otherwise is really difficult to see where is the problem. You can find that by executing tail -f /var/log/ltm in rhe command line.
when HTTP_REQUEST { log local0. "URI: [HTTP::uri]" log local0. "IP: [IP::client_addr]" if { ([HTTP::uri] ne "/cvs/chn.website.cvs.Account_1.0?wsdl") and ([IP::client_addr] equals "192.168.100.201")} { reject } }
Some notes: HTTP::uri does not return the hostname but it will include all the parameters in the URL. The irule won't work unless the URI is an exact match. Try to chuck the irule in smallest pieces and verify if the functionality separately.