Restricting Access to URI Based on IP Address

With an IIS-based application, it's particularly difficult to handle all of the different encoding attacks in an iRule that a malicious user could send in the URI. See this post for some example iRules and sample obfuscation methods:

 

 

http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&tpage=1&view=topic&postid=30900

 

 

Aaron

Where do I define the variable for the white list of allowable IP addresses?

You can define the IP addresses or subnets in a datagroup of type: address in the GUI under Local Traffic >> iRules >> Datagroup List. If you're on 9.4.4 or higher, you should reference the datagroup name without the $:: prefix in older examples to allow for CMP compatibility.

 

 

Aaron

So, would I just call the data group (testapiAllowList) by name like this?

 
when HTTP_REQUEST { 
   if { [matchclass [string tolower [HTTP::path]] contains '/testapi.aspx'] } { 
     if { !([matchclass [IP::client_addr] equals testapiAllowList])} { 
       discard 
     } else { 
          } 
 }

That's close. Here's something to try:

when HTTP_REQUEST { 
   if { [string tolower [HTTP::path]] contains "/testapi.aspx" } { 
      if { !([matchclass [IP::client_addr] equals testapiAllowList])} { 
         discard 
      }
   }
}

Aaron

Thank you very much for your help and patience! I am new to iRules and really appreciate all the help I have received on DevCentral.

Ok I am trying to work on an irule to allow an IP to a URI that contains matches a word in the path. but I am having no luck.. this is the irule I have in place

 

 

when HTTP_REQUEST {

 

if {( [string tolower [HTTP::path]] contains "/myword " )

 

and not ( [IP::addr [IP::client_addr] equals 127.0.0.01/32] ) } {

 

log local0. "dropped"

 

HTTP::respond 200 content "URL Blocked"

 

}

 

}

 

Ok I am trying to work on an irule to allow an IP to a URI that contains matches a word in the path. but I am having no luck.. this is the irule I have in place

 

 

when HTTP_REQUEST {

 

if {( [string tolower [HTTP::path]] contains "/myword " )

 

and not ( [IP::addr [IP::client_addr] equals 127.0.0.01/32] ) } {

 

log local0. "dropped"

 

HTTP::respond 200 content "URL Blocked"

 

}

 

}

 

So you're saying, "if the requested path contains the string '/myword' and the client IP is NOT 127.0.0.01, then send a 'URL Blocked' message". Is this your intention?

As a quick test, please modify your iRule as follows and report the results:

when HTTP_REQUEST {
     log local0. "Path = [string tolower [HTTP::path]]"
     log local0. "Client IP = [IP::client_addr]"
     if { [IP::addr [IP::client_addr] equals 127.0.0.01/32] } { log local0. "Local client IP" }

     if { ( [string tolower [HTTP::path]] contains "/myword " ) and not ( [IP::addr [IP::client_addr] equals 127.0.0.01/32] ) } {
          log local0. "dropped"
          HTTP::respond 200 content "URL Blocked"
     }
} 

 

Kevin

 

 

Yes you are correct with the understanding .

 

I do want to thank you for your help

 

Turning on the extra loging I see my trigger word is not staying in the uri when I am being moved from one VS to the other VS.

 

 

agian thank you.