ACL for sub-website?

Question

I'm pretty weak with iRules so I was wondering if anyone has an idea on how to accomplish the following: 
&nbsp;  
&nbsp; I need an iRule that checks for users destined for a subsite on our URL and then filtering through an ACL. I think this would be accomplished by first using:  
&nbsp;  
&nbsp; when HTTP_REQUEST { 
&nbsp;   switch -regexp [string tolower [HTTP::uri] ] { 
&nbsp;      ^/xxx 
&nbsp;  
&nbsp; After determining users are destined to this subsite I need to apply the ACL and only allow those I specified in a Data Group List. I saw the sample for the ACL, but I having difficulty figuring out how I would tie the whole thing together. Any help greatly appreciated. 
&nbsp;  
&nbsp; Thanks!

the_bhattman · Answer

I haven't tested this but I think it might the logic you are looking for.

class subsite {     
  "/foo"     
  "/foobar"     
  "/feefifoo"  
  }  
    
  class allow {     
  "192.168.1.1"     
  "192.168.1.3"     
  "192.168.1.4"  
  }  
    
  when HTTP_REQUEST {  
       if { not ([matchclass [IP::client_addr] equals $::allow] &amp;&amp; [matchclass [string tolower [HTTP::uri]] starts_with $::subsite]) } {   
       } else {  
         reject  
       }  
  }

or

class allow {     
  "192.168.1.1"     
  "192.168.1.3"     
  "192.168.1.4"  
  }  
    
  when HTTP_REQUEST {  
       switch -regex [HTTP::uri] {  
      "^XXX" {  
             if { not ([matchclass [IP::client_addr] equals $::allow]) }  
             } else {  
              reject  
             }  
       }  
  }

hope this helps  
    
  CB

deb_allen_18 · Answer

you'd want to be sure the class you create is of type "Address" for the IP::addr comparison to work as expected. 
  
 The resulting class would look more like this: 
  
 class myIPs { 
   host 10.10.1.1 
   network 192.168.1.1 255.255.255.0 
 } 
  
 There are at least a couple of good ACL examples in the codeshare: 
 Click here 
 Click here 
  
 /deb

deb_allen_18 · Answer

oh, and cmbhatt's first example for the additional URI comparison is preferred -- avoid regex wherever possible. 
&nbsp;  
&nbsp; /deb

robs · Answer

CB &amp; Deb, 
&nbsp;  
&nbsp; Thanks for your help on this one. We got it working just the way we want by slightly altering the example you provided: 
&nbsp;  
&nbsp; class subsite {      
&nbsp;   "/foo"      
&nbsp;   "/foobar"      
&nbsp;   "/feefifoo"   
&nbsp;   }   
&nbsp;      
&nbsp;   class allow {      
&nbsp;   "192.168.1.1"      
&nbsp;   "192.168.1.3"      
&nbsp;   "192.168.1.4"   
&nbsp;   }   
&nbsp;      
&nbsp; when HTTP_REQUEST { 
&nbsp; if { not [matchclass [IP::client_addr] equals $:: allow] &amp;&amp; [matchclass [string tolower [HTTP::uri]] contains $:: subsite] } { 
&nbsp; discard 
&nbsp; } else { 
&nbsp;  }     
&nbsp;    } 
&nbsp;  
&nbsp; Thanks, 
&nbsp; Rob

hooleylist · Answer

As Deb suggested before, you'd actually want to define the class as a type of 'address' to avoid doing a string comparison against the client IP address.  This also allows you to define networks instead of individual hosts. 
  
 The bigip.conf entry should look like:

class myIPs {  
    host 10.10.1.1  
    network 192.168.1.1 255.255.255.0  
 }

And make sure you don't have a space in the class references.  They should be $::allow and $::subsite. 
  
 Aaron

Forum Discussion

ACL for sub-website?

5 Replies

Recent Discussions

Open Redirection Mitigation

F5Access | MacOS Sonoma

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

SMS server with BIGIP

Related Content

Protect your applications using F5’s Distributed Cloud and Fast ACL’s

How to change ACL forbidden page?

APM Security: Protecting Internal Resources Using ACLs

F5 apm ACL ACES bypassed

HTTPD IP allow ACL from Configuration Utility