Forum Discussion

Sanal_Babu's avatar
Sanal_Babu
Icon for Nimbostratus rankNimbostratus
Jan 17, 2016

iRule_urls/allow/block/restrict

Can anyone please help to create an irule for below requirement.

 

I have created two datagroups in my f5 for source ip as well as url list

 

IP data group name : allowed_IP URL data group : allowed_url

 

We would like to deny the access if the request is only for www.abc.com/xyx but the same time it should allow when it comes for www.abc.com/xyx/ccc.

 

URL to be allowed

 

www.abc.com/xyz/ccc www.abc.com/xyz/yyy www.abc.com/xyz/ppp www.abc.com/xyz/ooo

 

URL to be blocked

 

www.abc.com/xyz

 

So if a request comes for the allowed_url list , it should allow for all But if it is for only www.abc.com/xyz ,allow only for the Ip address data group "allowed_IP" .Rest all should be blocked.

 

application delivery
iRules

5 Replies

Sort By
  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Jan 17, 2016

    Hi Sanalbabu,

     

    I've written two different versions for you, to optimize the performance based on your expected request pattern. So please estimate your expected request pattern and then either use the outlined iRules of senario1 or scenario2.

     

    Scenario1

     

    The iRule below should be used, if you expect many request to trigger the IP-based allow list for /xyz.

     

    when CLIENT_ACCEPTED {
    if { [class match [IP::client_addr] equals DataGroup_ALLOWED_IP_ADDR] } then {
        set my_trusted_clients 1
    } else {
        set my_trusted_clients 0
    }
}
when HTTP_REQUEST {
    if { [string tolower [HTTP::host]] equals "www.abc.com" } then {
        set low_uri [string tolower [HTTP::uri]]
        if { [class match $low_uri starts_with Datagroup_ALLOWED_URIs] } then {
             You may insert additional iRule code here, to handle request to the explicitly allowed sub-sites
        } elseif { $low_uri starts_with "/xyz" } then {
            if { $my_trusted_clients } then {
                 You may insert additional iRule code here, to handle request for the explicitly allowed client IPs
            } else {
                 Insert your block code here, to handle the blocked requests
                
                 Below are some examples...
                
                 1.) Sending a redirect
                 HTTP::redirect "http://www.somesite.com/errorpage.html"
                
                 2.) Sending a errorpage
                 HTTP::respond 403 content "Access denied"
            }
        } else {
             You may insert additional iRule code here, to handle request to other sub-sites
        }
    } else {
         You may insert additional iRule code here, to handle request to other sites
    }
}

    Scenario2

     

    The iRule below should be used, if you expect just a few request to trigger the IP-based allow list for /xyz.

     

    when HTTP_REQUEST {
    if { [string tolower [HTTP::host]] equals "www.abc.com" } then {
        set low_uri [string tolower [HTTP::uri]]
        if { [class match $low_uri starts_with Datagroup_ALLOWED_URIs] } then {
             You may insert additional iRule code here, to handle request to the explicitly allowed sub-sites
        } elseif { $low_uri starts_with "/xyz" } then {
            if { [class match [IP::client_addr] equals DataGroup_ALLOWED_IP_ADDR] } then {
                 You may insert additional iRule code here, to handle request for the explicitly allowed client IPs
            } else {
                 Insert your block code here, to handle the blocked requests
                
                 Below are some examples...
                
                 1.) Sending a redirect
                 HTTP::redirect "http://www.somesite.com/errorpage.html"
                
                 2.) Sending a errorpage
                 HTTP::respond 403 content "Access denied"
            }
        } else {
             You may insert additional iRule code here, to handle request to other sub-sites
        }
    } else {
         You may insert additional iRule code here, to handle request to other sites
    }
}

    Cheers, Kai

     

  • Sanal_Babu's avatar
    Sanal_Babu
    Icon for Nimbostratus rankNimbostratus
    Jan 18, 2016

    Hi Kai,

     

    Thanks for your support.

     

    I have tested with this in my F5 but it is still allowing url /xyz.

     

    Thank you Sanal Babu

     

  • Sanal_Babu's avatar
    Sanal_Babu
    Icon for Nimbostratus rankNimbostratus
    Jan 18, 2016

    Hi Kai,

     

    Also no where in the irule it says drop or allow . I am not good in iRule. Just a thought. :-)

     

  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Jan 18, 2016

    Hi Sanalbabu,

     

    there does not exist a "allow" or "drop" action. If you want to "allow" traffic, you have to perform "nothing".

     

    For the "drop" part I've already included two different command samples for you and also a lot of comment lines where those commands can be insert base on your detailed requirement...

     

    Hope this helps... ;-)

     

    Cheers, Kai

     

  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Jan 18, 2016

    Hi Sanalbabu,

     

    there does not exist a "allow" or "drop" action. If you want to "allow" traffic, you have to perform "nothing".

     

    For the "drop" part I've already included two different command samples for you and also a lot of comment lines where those commands can be insert base on your detailed requirement...

     

    Hope this helps... ;-)

     

    Cheers, Kai