Dears, I am able to restrict the access to Virtual Server by providing the static time by using the below irule. However, I also want to use this irule to restrict the access on weekends. when RULE_INIT { set current_day [clock format [clock seconds] -format {%a} ] set static::START_OFF_TIME "05:30 AM" set static::END_OFF_TIME "01:00 PM" } when HTTP_REQUEST { set start_off_time [clock scan $static::START_OFF_TIME] set end_off_time [clock scan $static::END_OFF_TIME] set now [clock seconds] if { ( [expr $now > $start_off_time] ) and ( [expr $now < $end_off_time] ) } { HTTP::respond 200 content "Maintenance ModeMaintenance mode..." } }

Stan, Thanks for the rule, but in your rule the Second condition when HTTP_REQUEST is not being executed. i have created the below rule which is working fine but i need to add one more condition (if { ( [class match [IP::remote_addr] equals clntip]). this condition when i add in the below rule it is not working, remaining the rule is working fine. Kindly advice. when RULE_INIT { set static::START_OFF_TIME [clock scan "05:30 AM"] set static::END_OFF_TIME [clock scan "04:00 PM"] } when HTTP_REQUEST { set now [clock seconds] set current_day [clock format [clock seconds] -format {%u}] } if { not ([string tolower [HTTP::uri]] contains "/contracts/") } { pool POOL_443 } elseif { ([class match [IP::remote_addr] equals clntip]) && ([string tolower [HTTP::uri]] contains "/contracts/") && ($current_day >= 1 ) && ($current_day < 4 ) && ( $now > $static::START_OFF_TIME ) && ( $now < $static::END_OFF_TIME ) } { pool POOL_443 } elseif { ([class match [IP::remote_addr] equals clntip]) && ([string tolower [HTTP::uri]] contains "/contracts/") && ($current_day == 7 ) && ( $now > $static::START_OFF_TIME ) && ( $now < $static::END_OFF_TIME ) && ( [class match [IP::remote_addr] equals clntip]) } { pool POOL_443 } elseif { ([string tolower [HTTP::uri]] contains "/contracts/") && ($current_day == 5 ) or ($current_day == 6 ) } { HTTP::respond 200 content "Weekend!Its a Weekend! Contact Administrator..." } else { HTTP::respond 200 content "Not Authorised!Not Authorised! Contact Administrator..." } }

Irule to block access of VS on specific days

11 Replies

Stanislas_Piro2

Cumulonimbus

Apr 28, 2016

Hi,

current_day may not be defined in RULE_INIT but in HTTP_REQUEST.

you can filter on day number (1-7) and not day name (Monday,...) with command :

set current_day [clock format [clock seconds] -format {%u}]

The irule become:

when RULE_INIT {
    set static::START_OFF_TIME [clock scan "05:30 AM"]
    set static::END_OFF_TIME [clock scan "01:00 PM"]
}

when HTTP_REQUEST {
    set now [clock seconds]
    set current_day [clock format [clock seconds] -format {%u}]

if { ($current_day < 6 ) && ( $now > $static::START_OFF_TIME ) && ( $now < $static::END_OFF_TIME ) } {
        HTTP::respond 200 content "Maintenance ModeMaintenance mode..."
    }

}

Ibrahim_Kadiri

Nimbostratus

May 01, 2016

Stan,

We need to run this irule on the specific site only, but the below irule which i created is blocking the parent site. We need to allow access to the parent without time constrain, and block access for one of the site with the below irule.

when RULE_INIT {
    set static::START_OFF_TIME [clock scan "05:30 AM"]
    set static::END_OFF_TIME [clock scan "01:00 PM"]
}

when HTTP_REQUEST {
    set now [clock seconds]
    set current_day [clock format [clock seconds] -format {%u}]

if { ([string tolower [HTTP::uri]] contains "/contractor/") && ($current_day > 1 ) && ($current_day < 4 ) && ( $now > $static::START_OFF_TIME ) && ( $now < $static::END_OFF_TIME ) } {
        pool POOL_443
    }
    elseif {([string tolower [HTTP::uri]] contains "/contractor/") && ($current_day == 7 ) && ( $now > $static::START_OFF_TIME ) && ( $now < $static::END_OFF_TIME ) } {
        pool POOL_443
    }
 elseif {
        HTTP::respond 200 content "Not Authorised! Contact AdministratorNot Authorised! Contact Administrator..."
}

}

Ashu_Aggarwal
Cirrus
Oct 18, 2020
Hi I have a similar requirement where i have to restrict the VS access to a IP subnet for a particular window. Were you able to make it work? If so can you please share the i-rule?

Thanks
Ashu
- jaikumar_f5
  MVP
  Oct 19, 2020
  You could rather open a new thread, it would have more visibility.

Stanislas_Piro2

Cumulonimbus

May 01, 2016

You can try something like that:

when RULE_INIT {
    array set static::timerange {
        1 {"05:30" "13:00"}
        2 {"05:30" "13:00"}
        3 {"05:30" "13:00"}
        4 {"05:30" "13:00"}
        5 {"00:00" "00:00"}
        6 {"00:00" "00:00"}
        7 {"05:30" "13:00"}
    }
}

when HTTP_REQUEST {
    if { ([string tolower [HTTP::uri]] contains "/contractor/") } {    
        set now [clock seconds]
        set current_day [clock format $now -format {%u}]
        lassign $static::timerange($current_day) start end
        if {($now >= [clock scan $start]) && ($now < [clock scan $end])} {
            set denied 0
        } else {set denied 1}
    } else {set denied 0}

    if { $denied } {
        HTTP::respond 200 content "Not Authorised! Contact AdministratorNot Authorised! Contact Administrator..."
    } else {pool POOL_443}
}

you can also use day name instead of number in array...

Ashu_Aggarwal
Cirrus
Oct 18, 2020
: Hi, I have a similar requirement & when trying the above i-rule it looks like it blocks the access but it doesn't pick/sync with the system clock. It just keep denying the requests. Can you please suggest?

Rgds/Ashu
- Stan_PIRON_F5
  Employee
  Oct 19, 2020
  I don't remember if this code used GMT or local timezone..
  
  The comment I wrote above says lassign is not supported... try the code above.

Stanislas_Piro2

Cumulonimbus

May 03, 2016

The lassign command does not work in irule.

The following code may solve this issue.

when RULE_INIT {
    array set static::timerange {
        Sunday {"05:30" "13:00"}
        Monday {"05:30" "13:00"}
        Tuesday {"05:30" "13:00"}
        Wednesday {"05:30" "13:00"}
        Thursday {"05:30" "13:00"}
        Friday {}
        Saturday {}
    }
}

when HTTP_REQUEST {
    if { ([string tolower [HTTP::uri]] contains "/contractor/") } {    
        set now [clock seconds]
        set current_day [clock format $now -format {%A}]
        set start [lindex $static::timerange($current_day) 0]
        set end [lindex $static::timerange($current_day) 1]
        if {($start ne "") && ($end ne "") && ($now >= [clock scan $start]) && ($now < [clock scan $end])} {
            set denied 0
        } else {set denied 1}
        unset start end
    } else {set denied 0}

    if { $denied } {
        HTTP::respond 200 content "Not Authorised! Contact AdministratorNot Authorised! Contact Administrator..."
    } else {pool POOL_443}
    unset denied
}

Ibrahim_Kadiri

Nimbostratus

May 03, 2016

Stan,

Thanks for the rule, but in your rule the Second condition when HTTP_REQUEST is not being executed. i have created the below rule which is working fine but i need to add one more condition (if { ( [class match [IP::remote_addr] equals clntip]). this condition when i add in the below rule it is not working, remaining the rule is working fine.

Kindly advice.

when RULE_INIT {
    set static::START_OFF_TIME [clock scan "05:30 AM"]
    set static::END_OFF_TIME [clock scan "04:00 PM"]
}

when HTTP_REQUEST {
    set now [clock seconds]
    set current_day [clock format [clock seconds] -format {%u}] }

    if { not ([string tolower [HTTP::uri]] contains "/contracts/")  } { 
        pool POOL_443 
        }
     elseif { ([class match [IP::remote_addr] equals clntip]) && ([string tolower [HTTP::uri]] contains "/contracts/") && ($current_day >= 1 )  && ($current_day < 4 ) && ( $now > $static::START_OFF_TIME ) && ( $now < $static::END_OFF_TIME ) } {
        pool POOL_443
        }
    elseif { ([class match [IP::remote_addr] equals clntip]) && ([string tolower [HTTP::uri]] contains "/contracts/") && ($current_day == 7 ) && ( $now > $static::START_OFF_TIME ) && ( $now < $static::END_OFF_TIME ) && ( [class match [IP::remote_addr] equals clntip]) } {
        pool POOL_443
        }
    elseif { ([string tolower [HTTP::uri]] contains "/contracts/") && ($current_day == 5 ) or ($current_day == 6 ) } {
        HTTP::respond 200 content "Weekend!Its a Weekend! Contact Administrator..."
        }   
 else {
        HTTP::respond 200 content "Not Authorised!Not Authorised! Contact Administrator..."
}

}

Stanislas_Piro2

Cumulonimbus

May 03, 2016

Hi,

In the first irule I provided, there was an issue ...

if executing clock scan in RULE_INIT, the date will stay the day the irule was last modified or service restarted.

Try this irule :

when RULE_INIT {
    array set static::timerange {
        Sunday {"05:30" "16:00"}
        Monday {"05:30" "16:00"}
        Tuesday {"05:30" "16:00"}
        Wednesday {"05:30" "16:00"}
        Thursday {"05:30" "16:00"}
        Friday {}
        Saturday {}
    }
}

when HTTP_REQUEST {
    if { ([string tolower [HTTP::uri]] contains "/contractor/") } {
        if {!([class match [IP::remote_addr] equals clntip])} {set denied 1}
        set now [clock seconds]
        set current_day [clock format $now -format {%A}]
        set start [lindex $static::timerange($current_day) 0]
        set end [lindex $static::timerange($current_day) 1]
        if {($start ne "") && ($end ne "") && ($now >= [clock scan $start]) && ($now < [clock scan $end])} {
            set denied 0
        } else {set denied 1}
        unset start end
    } else {set denied 0}

    if { $denied } {
        HTTP::respond 200 content "Not Authorised! Contact AdministratorNot Authorised! Contact Administrator..."
    } else {pool POOL_443}
    unset denied
}

Stanislas_Piro2

Cumulonimbus

May 09, 2016

Hi ibrahim,

the following irule may work :

when RULE_INIT {
    array set static::timerange {
        Sunday {"05:30" "16:00"}
        Monday {"05:30" "16:00"}
        Tuesday {"05:30" "16:00"}
        Wednesday {"05:30" "16:00"}
        Thursday {"05:30" "16:00"}
        Friday {}
        Saturday {}
    }
}

when HTTP_REQUEST {
    if { ([string tolower [HTTP::uri]] contains "/contractor/") } {
        if {!([class match [IP::remote_addr] equals clntip])} {
            set denied 1
        } else {
            set now [clock seconds]
            set current_day [clock format $now -format {%A}]
            set start [lindex $static::timerange($current_day) 0]
            set end [lindex $static::timerange($current_day) 1]
            if {($start ne "") && ($end ne "") && ($now >= [clock scan $start]) && ($now < [clock scan $end])} {
                set denied 0
            } else {set denied 1}
            unset start end
        }
    } else {set denied 0}

    if { $denied } {
        HTTP::respond 200 content "Not Authorised! Contact AdministratorNot Authorised! Contact Administrator..."
    } else {pool POOL_443}
    unset denied
}

Forum Discussion

Irule to block access of VS on specific days

11 Replies

Recent Discussions

Advise on setting up IRULE

google autenticator broken barcode

Port Group on F5OS network setting

vulnerabilities (CVE-2020-36363), CVE-2016-0736,CVE-2019-6593-FOR VERSION BIGIP LTM-16.1.4

Unwinding the Benefits of Investing in White Label Crypto Wallet

Related Content

Federated AWS Console Access Made Easy: F5 BIG-IP Access Policy Manager Access Guided Configurations

Access policy, LTM policy and iRules

ASM irule to disable attack signature authorization header with specific value

Overview of API Access Control and implementing API key access control with BIG-IP APM

Load balancing method specific decision