Error on LTM with getting IP from data group in an IRULE
Hi All,
Here is a few questions I have that someone may know of...
Please help with the TLC error below. Is there something wrong with the iRule where it's giving this error on the load balancer in the /var/log/ltm? Is the "set CHECK_IP" incorrect or something in the data group (DG-ALLOWED-IP-XFF) the irule doesn't like? It seems to be working from my testing, but the errors is concerning me. We need to resolve this before we go live soon.
Also can you guys help to format this into a much better code? Seems there are too many "if" statement trying to do the same thing...maybe group it into an easier format where if the IP address from the XFF is in the data group, than allow to the URIs also in the data group the users is trying to access..
Here are the objectives:
- when users goes to URIs defined in the "DG-ALLOWED-URI-LIST" data group, and their IP in the XFF header matches what's defined in the data group "DG-ALLOWED-IP-XFF", they will be allowed to access. If not, then their session will get rejected trying to go to those URI. All other access is allowed.
- The second block matches the --> [HTTP::uri] eq "/uri1/uri2/uri3/adminpage" --- so if the user is trying to get here via a link on the main page, or go there directly, their IP in the XFF header must match the data group "DG-ALLOWED-IP-XFF", and if so, they will get redirected to --> https://[HTTP::host]/secret/uri1/uri2/uri3/adminpage/
ERROR from /var/log/ltm: -- seems to be something with the $CHECK_IP event...
Mar 23 23:18:29 F5LTM01 err tmm2[19841]: 01220001:3: TCL error: /Common/iRULE-TEST-XFF - bad IP network address format (line 7)invalid IP match item %2527 for IP class /Common/DG-ALLOWED-IP-XFF (line 7) invoked from within "class match $CHECK_IP eq "DG-ALLOWED-IP-XFF""
Note: The IP in the data group was changed to 1.1.1.1/2.2.2.2 as an example to protect our real IP.
ltm data-group internal DG-ALLOWED-IP-XFF {
records {
1.1.1.1/32 { }
2.2.2.2/32 { }
}
type ip
}
ltm data-group internal DG-ALLOWED-URI-LIST {
records {
/secure1 { }
/secure2 { }
/secure3 { }
}
type string
}
when HTTP_REQUEST {
if { [active_members POOL-WEBSERVER-443] < 1 } {
HTTP::redirect " http://site.maintenance-page.com"
} else {
set CHECK_IP [getfield [HTTP::header values X-Forwarded-For] " " 1]
if { !([class match $CHECK_IP eq "DG-ALLOWED-IP-XFF"]) } {
if { [class match [HTTP::uri] eq "DG-ALLOWED-URI-LIST"] } {
reject
}
if { ([class match $CHECK_IP eq "DG-ALLOWED-IP-XFF"]) } {
if { [HTTP::uri] eq "*/uri1/uri2/uri3/adminpage*"} {
HTTP::redirect "https://[HTTP::host]/secret/uri1/uri2/uri3/adminpage/" }
log local0. "/adminpage redirect to /secret for internal users: \ [HTTP::uri]->[IP::client_addr]->[IP::local_addr]"
}
}
}
}
Appreciate any help anyone can provide.