Tony2020
May 25, 2017Nimbostratus
Better way to match different URI based on XFF and different data group with IP
Hi All,
I was wondering if anyone can point out or suggest a better or more effcient way to put together the two logic together in this code.
Data group:
- Data group with IP 1.1.1.1/32 & 1.1.1.2/32 & 5.5.5.0/24 called "DG-XFF-EXTERNAL-ALLOWED-IP"
- Data group with IP 2.2.2.1/32 and 2.2.2.2/32 called "DG-XFF-INTERNAL-ALLOWED-IP"
Requirement:
if the external users IP is in "DG-XFF-EXTERNAL-ALLOWED-IP" and they go to URI "/externalURI" they are allowed in based on XFF IP matching, otherwise they will be rejected
if users IP is in "DG-XFF-INTERNAL-ALLOWED-IP" and they go to URI "/internalURI" they are allowed in based on XFF IP matching, otherwise the will be rejected
when HTTP_REQUEST {
set CHECK_IP [getfield [HTTP::header values X-Forwarded-For] " " 1]
switch -glob [HTTP::uri] {
“/externalURI“ {
if { ! ([class match $CHECK_IP eq DG-XFF-EXTERNAL-ALLOWED-IP) } {
reject
}
}
switch -glob [HTTP::uri] {
“/InternalURI“ {
if { ! ([class match $CHECK_IP eq DG-XFF-INTERNAL-ALLOWED-IP) } {
reject
}
}
}
}
Thank you!