Forum Discussion

Balasubramaniy2's avatar
Balasubramaniy2
Icon for Nimbostratus rankNimbostratus
Aug 22, 2018

Need to control particular source while accessing particular URL when URL forwarding enabled for multiple applications on the Same Virtual server

Hi,

 

The requirement is to do URL forwarding for multiple applications based on the URL. but, wants to block particular source accessing particular URL on the same virtual server not all URL.

 

Example:

 

Virtual server 172.16.16.10 bind with URL forwarding polices. (app1.test.com, app2.test.com,app3.test.com,app4.test.com). now customer wants to block 10.10.10.100 ip to access app2.test.com at the same time same 10.10.10.100 can access to other URL's.

 

customer wants to perform this on LTM only not via other feature like APM or WAF.

 

it's possible to achieve this?

 

application delivery
LTM

2 Replies

Sort By
  • Andy_McGrath's avatar
    Andy_McGrath
    Icon for Cumulonimbus rankCumulonimbus
    Aug 22, 2018

    Simply iRule assigned to the Virtual Server would do it:

    when HTTP_REQUEST {
    if {[HTTP::host] == "app2.test.com" && [IP::addr [IP::client_addr] equals 10.10.10.100]} {
        drop
    }
}

    Could also look to do the same with an LTM Policy:

    ltm policy ExampleDropPolicy {
    controls { forwarding }
    requires { http tcp }
    rules {
        dropTraffic {
            actions {
                0 {
                    forward
                    reset
                }
            }
            conditions {
                0 {
                    tcp
                    address
                    matches
                    values { 10.10.10.10 }
                }
                1 {
                    http-host
                    host
                    values { app2.test.com }
                }
            }
        }
    }
    strategy first-match
}
  • youssef1's avatar
    youssef1
    Icon for Cumulonimbus rankCumulonimbus
    Aug 22, 2018

    Hi,

    First of create first of all, you have to create as many datagroup as you have from hostname to filtered. Example:

    DG1: dg-blocked-app1.test.com
Type:Address

Address : 10.10.10.100
Value: mycustomer

DG2: dg-blocked-app2.test.com
Type:Address

Address : empty
Value: 

DG3: dg-blocked-app3.test.com
Type:Address

Address : empty
Value:

    Then use this simple Irule (it is important to respect case in DG creaction: tolower because as you can noticed below, you DG in the irule is create dynamcly depending the hostname that you enter)

    when HTTP_REQUEST {

set envhost [string tolower [HTTP::host]]

if { [class match [IP::client_addr] equals dg-blocked-$envhost]} {
    reject
}
}

    Next you can manage how will be blocked by setting these IP in concerned DG.

    Hope it help you, let me now.

    Regards