Forum Discussion

nikhilmbass's avatar
nikhilmbass
Icon for Altocumulus rankAltocumulus
Feb 28, 2022

Irule for restricting access

Hello Members,

I have an application hosted on the F5, which also has an I-rule redirect policy attached to it.
https://domain.com redirects to https://domain.com/admin/login.jsp
This is accesssible over both public and pvt.

We have a new requirement, where we need to restrict access to just the below application URL path to only private networks.
https://domain.com/admin/tools/index.html
Can this be acheived and will it cause any compatibility issues with the existing above IRule redirect ??

  • Hello, you should be able to do this either with iRule or with LTM policy. 
    F5 recommends using options available in standard configurations / GUI / traffic profiles over iRule syntax where possible, as they typically perform faster. 

    In your case however using data group lists might be easier to mantain. One IP type data group to list restricted networks, and one string type data group to list restricted URI's. 

    if { class match [HTTP::path] ends_with restricted_uri_class && class match [IP::client_Addr] equals restricted_ip_class } { reject }

  • Hello, you should be able to do this either with iRule or with LTM policy. 
    F5 recommends using options available in standard configurations / GUI / traffic profiles over iRule syntax where possible, as they typically perform faster. 

    In your case however using data group lists might be easier to mantain. One IP type data group to list restricted networks, and one string type data group to list restricted URI's. 

    if { class match [HTTP::path] ends_with restricted_uri_class && class match [IP::client_Addr] equals restricted_ip_class } { reject }

    • nikhilmbass's avatar
      nikhilmbass
      Icon for Altocumulus rankAltocumulus

      Thanks CA_Valli for your suggestion. The solution worked perfectly fine.
      Much appreciated

  •  

    you can use below irule if you using redirection irule on same virtual server

    when HTTP_REQUEST {

     if {[HTTP::host] equals "domain.com"}{

    if {[HTTP::uri] starts_with "/admin/tools"}{

    HTTP::redirect https://[getfield [HTTP::host] ":" 1][HTTP::uri]

    }
    else if {[HTTP::uri] starts_with "/admin/login.jsp"}{

    HTTP::redirect https://[getfield [HTTP::host] ":" 1][HTTP::uri]

    }

    }
    else
    default pool

    }

     

    • neeeewbie's avatar
      neeeewbie
      Icon for MVP rankMVP

      I guess you need add virtual server better than add the irule 

      F5 can make same dst ip virtual server if source ip address difference between exist virtual server 

       

      below url is explain order of precedence for virtual server matching 

      https://support.f5.com/csp/article/K14800

  • Ruby69's avatar
    Ruby69
    Icon for Nimbostratus rankNimbostratus

    nikhilmbass wrote:

    Hello Members,

    I have an application hosted on the F5, which also has an I-rule redirect policy attached to it.
    https://domain.com redirects to https://domain.com/admin/login.jsp
    This is accesssible over both public and pvt.

    We have a new requirement, where we need to restrict access to just the below application URL path to only private networks.
    https://domain.com/admin/tools/index.html
    Can this be acheived and will it cause any compatibility issues with the existing above IRule redirect ??


    In your case however using data group lists might be easier to mantain. One IP type data group to list restricted networks, and one string type data group to list restricted URI's.                                  MyMercy