Forum Discussion

aschi's avatar
aschi
Icon for Nimbostratus rankNimbostratus
Jun 06, 2013

Proxypass Rule just for a specific IP-Range

Hi

 

We have successfully the ProxyPass iRule Version 10.9 in place. (https://devcentral.f5.com/wiki/iRules.proxypassv10.ashx)

 

But because a Web-Service has confidential content the access has to be limited to a specific IP-Range or maybe IP-Ranges in the future.

 

Without Proxypass i would just use the folowing part in a iRule:

 

if { [IP::addr [IP::client_addr]/24 equals 10.85.4.0] } {

 

access

 

}

 

The ProxyPass iRule is very complex with a lot of different Sections.

 

I tried to add the "Client IP Restriction somewhere in the Proxypass Rule but i wasn't able to get it running.

 

Is this possible?

 

Where would i have to place the IP-Address check?

 

Best Regards,

 

Roger

 

application delivery
dev
devops
iRules

2 Replies

Sort By
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jun 06, 2013
    I would use a NOT condition in the IP check and put it at the top of the CLIENT_ACCEPTED event, with a reject statement if the source IP is NOT in your defined IP range.
  • aschi's avatar
    aschi
    Icon for Nimbostratus rankNimbostratus
    Jun 13, 2013

    Hi

     

    I was able to solve it with the following entry after "when HTTP_REQUEST {" (ACA_allow_PepperHost contained the allowed Host):

     

    if { not [class match [IP::client_addr] equals ACA_allow_PepperHost] } {

     

    reject

     

    }

     

    Now I have to extend the if statement because the restriction ist just for some URI.

     

    I would like to first just test the URI restriction.

     

    The following didn't work:

     

    if { not [class match [HTTP::uri] equals ACA_restrict_Pepper_URI] } {

     

    What do I have to set as String and Value in the class?

     

    It never matched. Any Ideas? Is it possible to use regex expression in a class?

     

     

    Best Regards,

     

    Roger