Source IP and http path restriction via irule or LTM policy

Question

I am trying to figure out the best way to accomplish the below scenario so any help you can provide would be greatly appreciated.

I would like to be able to allow and block certain IP's and http path's to a VS.

1. If a list of source IP's is found then allow full access

2. If source IP is not found on above list then block the below http path's from all other source IP's

/maintenancepagedev/swagger/*

/maintenancepagedev/api/remove/*

/maintenancepagedev/api/update/*

/maintenancepagedev/api/set/*

/treecoupondev/*

3. Ensure that all other http path's not defined in step 2 are allowed access.

I have used irules in past to accomplish number 1 and 2 separately but never done them together. I am aware that I can use a datagroup list and reference that in both an irule and a LTM policy.

I have been trying to create an LTM policy that will do this but don't think I have the logic figured out. Here is what I have so far. If it makes more sens to do an irule if possible can you provide an example to show me the if else logic which is what I am struggling with.

LTM policy is set to Strategy of all

Rule 1:

Rule 2:

Rule 3:

enes_afsin_al · Answer

Hi Nolan Jensen,Only rule2 is enough. I think, wildcard characters not working in policy. I'm not sure. You can use "starts with" instead of "is", and remove wildcard (*).iRule:when HTTP_REQUEST {
	if { not ([class match [IP::client_addr] equals nolan_test]) } {
		switch -glob [string tolower [HTTP::uri]] {
			"/maintenancepagedev/swagger/*" -
			"/maintenancepagedev/api/remove/*" -
			"/maintenancepagedev/api/update/*" -
			"/maintenancepagedev/api/set/*" -
			"/treecoupondev/*" {
				# log local0. "Uri: [HTTP::uri] ClientIP: [IP::client_addr]"
				reject
			}
			default {
				# log local0. "Uri: [HTTP::uri] ClientIP: [IP::client_addr]"
			}
		}
	}
}

nolan_jensen · Answer

Thank you very much for the response!I tried just that rule of the policy but didn't seem to work.  I was still able to access uri's that I didn't want to access from an IP that was not in my data group list.I also tried the irule you provided and it seems to be working with my initial testing.  Typically when doing a irule to allow or reject access to a VS based on source IP I have done the client accepted method below.   Is the client accepted a better way to do source ip via irule?if so can my irule combine both of them and get the same logic to work?  when CLIENT_ACCEPTED {
	if { not [class match [IP::client_addr] equals nolan_test] } {
	reject
	}
}

Forum Discussion

Source IP and http path restriction via irule or LTM policy

2 Replies

Recent Discussions

F5 Access Guard Deprecated: ZTA APM

F5 loadbalancer not working

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

Related Content

SSL Orchestrator Advanced Use Cases: Enabling GCloud Organization Restrictions

Access policy, LTM policy and iRules

Manage F5 BIG-IP Advanced WAF Policies with Terraform (Part 1 - Policy Creation)

Restricting Access to Virtual from client IP address in X-Forwarder-For HTTP header

How to ensure source address and source port are accepted and traversed properly via F5 SNAT automap