Restriction of access to URI by IP

Question

So I'm needing to restrict access to 4 URIs by IP Address. I have created the following iRule and Datagroup. At this time, it works for the first URI in the list, but returns a 404 error for the rest of the URIs below. Is there something that I am missing, it looks like it should function normally.
Thanks

class grs_access {
   {
      network 10.0.0.0/8
      host 50.16.227.16
      network 172.16.0.0/16
      network 192.168.0.0/16
      host 204.236.236.43
   }

rule grsreg_whitelist {
   when HTTP_REQUEST {
    switch -glob [string tolower [HTTP::path]] {
        "/grda*" {
            if {not [matchclass [IP::client_addr] equals grs_access]}{
                HTTP::respond 403 content {Blocked!}
            }
        }
        "/grsupport*" {
            if {not [matchclass[IP::client_addr] equals grs_access]}{
                HTTP::respond 403 content {Blocked!}
            }
        }
        "/grreg*" {
            if {not [matchclass[IP::client_addr] equals grs_access]}{
                HTTP::respond 403 content {Blocked!}
            }
        }
        "/grrt*" {
            if {not [matchclass[IP::client_addr] equals grs_access]}{
                HTTP::respond 403 content {Blocked!}
            }
        }
    }
}
}

hooleylist · Answer

Hi Joe, 
 Are you sure about the 404?  The iRule should either send a 403 or send the request to the VS default pool.  I don't see how LTM could cause a 404 here either by rewriting the request or selecting the wrong pool. 
 Though you are missing a space between matchclass and the client IP in the last three switch cases.  That should cause a runtime TCL error and TCP reset being sent to the client.
Also, you could combine the four URIs into one switch action like this: 
 when HTTP_REQUEST {
    switch -glob [string tolower [HTTP::path]] {
        "/grda*" -
        "/grsupport*" -
        "/grreg*" -
        "/grrt*" {
            if {not [matchclass [IP::client_addr] equals grs_access]}{
                HTTP::respond 403 content {Blocked!}
            }
        }
    }
}
 
 Aaron

joe_gorman_4645 · Answer

Ah... Geez... The missing space is what did me in. Thank you for the prompt response and for the abridged version of the rule. I wasn't sure if stacking them like that would have the desired effect, but being fairly new to this your wisdom is very appreciated. 
&nbsp;  
&nbsp; Thanks

Forum Discussion

Restriction of access to URI by IP

2 Replies

Recent Discussions

F5 Access Guard Deprecated: ZTA APM

F5 loadbalancer not working

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

Related Content

Restricting Access to Virtual from client IP address in X-Forwarder-For HTTP header

SSL Orchestrator Advanced Use Cases: Enabling GCloud Organization Restrictions

Restricting access to a virtual server by Public IP address should access through only domain name.

Federated AWS Console Access Made Easy: F5 BIG-IP Access Policy Manager Access Guided Configurations

Restricting direct access from public IP