Forum Discussion

Roflcopter's avatar
Roflcopter
Icon for Nimbostratus rankNimbostratus
May 20, 2014

Access rule to deny IP based of URI called

We have moved some IIS servers to be hosted behind some LTM 1600's. They are doing SSL offload and all is working.

 

However before the F5's were used the IIS servers had some IP restrictions to certain parts of the website for web management portal to prevent unwanted people of accessing. However now the IIS servers are behind the F5's they only ever see the F5's self IP connect to them.

 

Is there a way using a iRule of an access lists so that if someone called a specific URI it is limited by an access list?

 

3 Replies

  • Hey. Yes, that's possible, however, I wonder if removing the SNAT you obviously have in place is possible as I feel that would be a better solution.

     

  • If I may add, I think WLB's initial notion would be the most sound. If you remove the SNAT profile then the servers see the client's true source and you're back to where you started. Of course to make that work you have to force return routing in another way, usually by making the F5 self-IP the default route for the servers. In lieu of that, I would be cautious using the F5 as an authorization platform. While it is entirely possible, and quite easy to do so, you might eventually find yourself managing very complex authz rulesets, and in multiple places. I think if you're going to do anything, and you cannot turn off SNAT, I'd recommend simply passing an X-Forwarded-For header and add some code to your application to read this HTTP header (instead of the source address).