NimbostratusNeed to limit access for specific IP addresses to specific URI and allow rest all
Hi Everyone,
Am trying to achieve the following conditions for a VIP on my f5:
- Allow 1.1.1.1 to access only https://abc.xyz.com/eee. All other URI on https://abc.xyz.com/ should be blocked for 1.1.1.1. Whereas all other IP addresses should be able to access this URI (/eee).
- Allow only 2.2.2.2, 3.3.3.3 and 4.4.4.4 to access only https://abc.xyz.com/fff. All other URI on https://abc.xyz.com/ should be blocked for these IP addresses. Similarly, this URI (/fff) should be blocked for all other IP addresses.
- Rest all traffic to https://abc.xyz.com should work/flow normally
Now, on the configuration part, I have only one HTTPS VIP abc.xyz.com-443 and only one pool abc.xyz.com-pool configured with 2 listening nodes on the F5. Business needs to achieve the above requirements on this VS. My main consideration is that the solution should be a light/easy one.
I thought of providing the solution with below iRule, but not sure if it would perfectly:
when HTTP_REQUEST {
if { ([HTTP::uri] contains "/eee") && ([IP::addr [IP::client_addr] equals 1.1.1.1/32]) } {
pool abc.xyz.com-pool
} elseif { ([IP::addr [IP::client_addr] equals 1.1.1.1/32]) } {
drop
} elseif { ([HTTP::uri] contains "/fff") && ([IP::addr [IP::client_addr] equals 2.2.2.2/32, 3.3.3.3/32, 4.4.4.4/32]) } {
pool abc.xyz.com-pool
} elseif { ([HTTP::uri] contains "/fff") && ([IP::addr [IP::client_addr] equals 0.0.0.0/0]) } {
drop
} elseif { ([IP::addr [IP::client_addr] equals 2.2.2.2/32, 3/3/3/3/32, 4.4.4.4/32]) } {
drop
} else {
pool abc.xyz.com-pool
}
Request you guys to provide your inputs/suggestions on above iRule, if it is apt with minimum load on my F5 LTM or if the iRule would work as expected at all. Else please provide your way of approach for the best solution to above case along with the configurations, which would be light on my LTM.
Thanks in advance!!!
