iRule assistance

Question

I have an iRule in my environment that was not written by me. This iRule is supposed to block anyone from an external IP from reaching the "heartbeat" page of our web servers. It is written as such:
when HTTP_REQUEST { 
   if { [string tolower [HTTP::path]] contains "/heartbeat" } { 
      if { !([matchclass [IP::client_addr] equals private_net])} { 
         discard 
      }
   }
}

My question is twofold. 
1) Is the exclamation point (!) in the second "if" statement excluding the "private_net" parameter. The iRules name is irule_block_heartbeat_from_external_IPs but the private_net data group is made up of internal IP's (10.0.0.0, 172.16.0.0. 192.168.0.0 etc).
2) I would like to add "/health" to this iRule as well, in addition to the "/heartbeat" how would i do that? 
Thanks.

dan_bowman · Answer

! is shorthand for "not", so yes any IP not in your datagroup will be blocked
For the extra page I'd consider using starts_with as it's more efficient than contains, and since you're doing a string tolower maybe set the lowercase path as a variable.

Something like this should do it
when HTTP_REQUEST { 
    set lcpath [string tolower [HTTP::path]]

if { ($lcpath starts_with "/heartbeat") or ($lcpath starts_with "/health") } { 
    if { !([matchclass [IP::client_addr] equals private_net])} { 
     discard 
        }
     }
   }

Forum Discussion

iRule assistance

1 Reply

Recent Discussions

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

F5 loadbalancer not working

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

Related Content

Assistance with iRule using port ranges

iRule to assist with CVE-2022-22965 mitigation

Re: Welcome to the F5 BIG-IP Migration Assistant

Requesting Assist with iRule Please

iRule assistance for subfolder redirect