Forum Discussion

Dan44's avatar
Dan44
Icon for Altostratus rankAltostratus
Jun 24, 2019

Restrict Access to a URL with a iRule

Hi all,

i have a web server and would like to restrict the access to the server. The access should only work if the request contains "/spa" or the the IP machtes the IPs in the data group. Unfortunately the iRule doesn't work. I am allays getting a HTTP 403. Does someone sees a error in the iRule or have some experience with restricting the access by IP and URL path?

when HTTP_REQUEST {
if { [string tolower [HTTP::uri]] contains "/spa" or [class match [IP::client_addr] equals allowIP]} {
pool web-server001
 
} else {
HTTP::respond 403
}
}

THX!

4 Replies

  • JG's avatar
    JG
    Icon for Cumulonimbus rankCumulonimbus

    You might want to put in some logging to help troubleshooting, e.g.

    log local0. "[HTTP::uri] ; [IP::client_addr]"

    in the conditional to see where the incoming request gets.

    Also, you should enable OneConnect if you have not done so.

  • hi

    i have enabled the login. with help of the logs we find out that the "client_addr" was always the interface IP of the firewall. the problem was that on the firewall (NAT enabled). After disabling NAT on the FW the rule worked.

  • JG's avatar
    JG
    Icon for Cumulonimbus rankCumulonimbus

    Good to hear you have got the problem sorted.

  • hi Dan, so is this irule working for web server behind dmz? do you mind explaining about the NAT enabled part on the FW ? do you have to modify the irule at the end?

     

    Thanks

    Kai