Forum Discussion

sandiksk_35282's avatar
sandiksk_35282
Icon for Altostratus rankAltostratus
Mar 08, 2018

allow traffic to VS based on the source IP fwded in the http get request

I need to come up with a design to allow traffic to VS based on the source IP sent in the http get request. Based on the source IP i need to make a decision whether to allow it or drop it. Please help me as how i can achieve this.

 

application delivery
BIG-IP
iRules

6 Replies

Sort By
  • rob_carr's avatar
    rob_carr
    Icon for Cirrostratus rankCirrostratus
    Mar 09, 2018

    I'd suggest that you go and read the API documentation for the IP command family. The information you need to extract the client IP address for each connection is in there.

     

    You will also likely need to look at the class command documentation to see how to make comparisons against a datagroup, to allow our disallow specific IP addresses or ranges.

     

  • sandiksk_35282's avatar
    sandiksk_35282
    Icon for Altostratus rankAltostratus
    Mar 09, 2018

    I am little confused , just with src ip I can create an irule to all or drop the request.

     

    But looking into the http request getting the src ip. Verify in the data group if the ip is listed allow if not drop the connection.

     

    Can I still achieve this with an irule

     

    • nag_54823's avatar
      nag_54823
      Icon for Cirrostratus rankCirrostratus
      Mar 09, 2018

      I didn't tested it but , you still can try something like below

       

      when HTTP_REQUEST {

       

      if { [class match [HTTP::header Client-IP] contains "ipaddress" ] } { reject } else { pool pool_name } }

       

  • sandiksk_35282's avatar
    sandiksk_35282
    Icon for Altostratus rankAltostratus
    Mar 09, 2018

    I tried with the below irule , but this is not working as throwing me expections and command not valid

     

    when HTTP_REQUEST{ if { [class match [[HTTP::header Client-IP]] eq "datagroup_QA" ] }{ Traffic is allowed. Client IP match found in datagroup_QA return } else { Traffic is dropped. Client IP match not found in datagroup_QA drop } }

     

    If the IP from HTTP header matched the IP listed in datagroup , connection need to be allowed if not it need to be rejected.

     

  • Milan_Simcik's avatar
    Milan_Simcik
    Icon for Nimbostratus rankNimbostratus
    Mar 09, 2018

    Hello sandiksk,

    try this irule.

    when HTTP_REQUEST {
     Traffic is allowed. Client IP match found in datagroup_QA
    if { [class match [[HTTP::header Client-IP]] eq "datagroup_QA" ] }{
        pool your_web_application_pool
    }
    else {
     Traffic is dropped. Client IP match not found in datagroup_QA
    reject
    }
}

    Or you can answer with a HTTP response using HTTP::respond. For example 403 Forbidden. To do so, replace reject with 'HTTP::respond 403' without quotes. Be aware of faked HTTP headers.

  • Sabir_Alvi's avatar
    Sabir_Alvi
    Icon for Altocumulus rankAltocumulus
    Mar 09, 2018

    If you are looking for a whitelist iRule, then below iRule should work fine. You will need to create a datagroup, "Whitelist_IPs" in below example, with all the source IPs you want to allow access. So all http requests which match URL and source IP from whitelist will be allowed, others will get 403.

    when HTTP_REQUEST {
    if { ([matchclass [string tolower [HTTP::host]] equals "www.sample1.com"]) and !([matchclass [IP::remote_addr] equals "Whitelist_IPs"]) } {
    HTTP::respond 403
    }
}