iRule to restrict public users to a specific service URI, whilst allowing internal users to access anything they like (along with

Question

Hi All,&nbsp;
First post, and i'm a relative newbie when it comes to iRules, so any assistance would be much appreciated.&nbsp;
I have a single VS that accepts connections from both public customers and internal service users, and i've had a request to stop Public users from accessing anything other than www.test.com/SelfService, whilst allowing internal users access to everything.&nbsp;
On top of the URI filtering/redirects required above, the requester also wants all requests (both public and private) to be redirected to HTTPS.&nbsp;
I thought that something along the lines of the below might work, but the iRule editor bombs out and my test LTM's (running TMOS 11.5.3) also aren't happy, so i'm looking for suggestions on how best to achieve the requirements listed above.&nbsp;
Suggested iRule&nbsp;
when CLIENT_ACCEPTED {
    if { [class match [IP::client_addr] equals DataGroup_PRIVATE_IP_ADDR] } then {
        set untrusted_clients 0
    } else {
        set untrusted_clients 1
    }
}
when HTTP_REQUEST {
    if { [string tolower [HTTP::host]] equals “test.com” } then {
        set low_uri [string tolower [HTTP::uri]]
        if { $untrusted_clients } then {
            HTTP::redirect "https://test.com/SelfService”
                    } else {
HTTP::redirect "https://test.com/[HTTP::uri]
}&nbsp;
Your assistance would be much appreciated, as currently i'm pulling my hair out with this one.&nbsp;

hannes_rapp_162 · Answer

Untested, but the logic should work. Apply that iRule to your TCP/443 VS (test in QA first).
when HTTP_REQUEST {
  if { not ([HTTP::path] eq "/SelfService" ) and not ([class match [IP::client_addr]] eq private_net ) }{
    HTTP::respond 302 noserver Location "https://[HTTP::host]/SelfService" Connection Close
  }
}

To enforce the explicity use of HTTPS, just apply a HTTPS redirect iRule to your VS that's listening on TCP/80 port. You can use _sys_https_redirect (one of the default iRules). If you don't have a dedicated TCP/80 VS yet, I recommend to create one so that you have two Virtual Servers with the same IP, but with a different port number.

hannes_rapp · Answer

Untested, but the logic should work. Apply that iRule to your TCP/443 VS (test in QA first).
when HTTP_REQUEST {
  if { not ([HTTP::path] eq "/SelfService" ) and not ([class match [IP::client_addr]] eq private_net ) }{
    HTTP::respond 302 noserver Location "https://[HTTP::host]/SelfService" Connection Close
  }
}

To enforce the explicity use of HTTPS, just apply a HTTPS redirect iRule to your VS that's listening on TCP/80 port. You can use _sys_https_redirect (one of the default iRules). If you don't have a dedicated TCP/80 VS yet, I recommend to create one so that you have two Virtual Servers with the same IP, but with a different port number.

simon_lodge · Answer

Fantastic,&nbsp;
And thanks for such a quick response!  I'll test with the client and update the thread with the results.&nbsp;

simon_lodge · Answer

Fantastic,&nbsp;
And thanks for such a quick response!  I'll test with the client and update the thread with the results.&nbsp;

Forum Discussion

iRule to restrict public users to a specific service URI, whilst allowing internal users to access anything they like (along with

4 Replies

Recent Discussions

ASM cookie, modifying "domain" field

URL

service profile HTTP in LTM v16.1?

iRule resulting in too many redirects

Azure SAML - F5 APM

Related Content

Office 365 Tenant Restrictions

SSL Orchestrator Advanced Use Cases: Enabling GCloud Organization Restrictions

Exception for GeoBlocked Country. Without Allow-Listing a specific IP

Allow only specific IP Address to only specific URL/route in ASM

F5 iRule Geolocation restriction