NimbostratusHi All,
What's the best way to allow or restrict access to webserver based on the urls used by the user.
I want the connection to be allowed if the user uses the below urls and deny any other connection. Can someone help me with an irule, if this can be achieved by an irule.
https://usd-msp10.inf.us.cvr.com/websso/*
EmployeeIm thinking a switch would be easiest:
when HTTP_REQUEST {
switch -glob [string tolower [HTTP::host][HTTP::uri]] {
"11.11.103.139/uii/*" -
"usd-msp10.inf.us.cvr.com/websso/*" {
log local0. "[HTTP::host][HTTP::uri] allowed"
}
default {
log local0. "[HTTP::host][HTTP::uri] blocked"
reject (or drop, or HTTP redirect, or HTTP respond)
}
}
}
You could also do this with a CPM local traffic policy, which would probably be a little faster.
EmployeeYou can only go as far as the Host name value, assuming the client presents a Server Name Indication (SNI) value in its TLS Client Hello message. You cannot see the request URI, for example, "/websso/*", unless you decrypt.
It's also rare that a browser client will submit an SNI value if it's using an IP address for the URL host.
But assuming the client always does send an SNI, you can indeed use LTM local traffic policies, which are included with LTM, to enable/disable access based on requested host name.
For a quick guide to configuring CPM policies: https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/local-traffic-policies-getting-started-12-1-0/1.html