iRule Newbie - Limit Access to URIs based on IP Source

Question

Hi,&nbsp;
I am just starting out in the wold of iRules - apologises for any newbie errors.&nbsp;
We have a test site that where access control was based on a firewall ACL - pretty simple worked fine.&nbsp;
Now our developers have created an app they wish to test from anywhere on the Internet but still want restrict access based on source IP to the originlal test site.&nbsp;
i.e.&nbsp;
/authenticate :: permit 0.0.0.0/0&nbsp;
/* :: permit only x.x.x.x/y and host a.b.c.d&nbsp;
I have already created an iRule to rewite the client's URI request from "/" to our landing page - /web/landing_page - this is also working fine.&nbsp;
I was going to add a second iRule to the VS with priority set so that it execute following the rewrite iRule.&nbsp;
My logic for the second iRule:&nbsp;
priority 20&nbsp;
if http request uri eq /authenticate&nbsp;
permit&nbsp;
else if http request eq datagroup_string-class&nbsp;
permit&nbsp;
 &nbsp;
The data group would list the URI with a permited access-group address list as the value.&nbsp;
Questions:&nbsp;
Will my logic work?&nbsp;
Can I use a wildcard e.g. "/*" for the test site URI or do I have to have every URI listed?&nbsp;
 &nbsp;
Thanks!&nbsp;
Mark&nbsp;
 &nbsp;

mohamed_lrhazi · Answer

Can you show a made up example of the data group?

rustic_57941 · Answer

Hi, 
&nbsp;  
&nbsp; The data group (string class) looks like this:: 
&nbsp;  
&nbsp; /authenticate:=Auth_Allowed_IPs 
&nbsp; /web/landing_page:=Test_Allowed_IPs 
&nbsp;  
&nbsp;  
&nbsp;  
&nbsp; Thanks

mohamed_lrhazi · Answer

Maybe your data could be like so: 
&nbsp;  
&nbsp; /authenticate:=0.0.0.0/32 
&nbsp; /web/landing_page:=1.2.3.4/32,1.2.3.5/32,192.168.0.0/16 
&nbsp; ... 
&nbsp; then your irule could lookup the list of subnets for that matches the current URI, split it and then test the client_ip against each, if no match found, reject. 
&nbsp;  
&nbsp; else, fall through and use default pool. 
&nbsp;  
&nbsp; Maybe there is a much simpler way. read about class for some ideas maybe: https://devcentral.f5.com/wiki/irules.class.ashx

rustic_57941 · Answer

Thanks - I have change thins a little by creating a address-class datagroup which has the permitted IP addresses. This is used on the following iRule:

when HTTP_REQUEST { 
   if { [string tolower [HTTP::path]] contains "/web/landing_page" } { 
      if { !([matchclass [IP::client_addr] equals Test_Allowed_IPs])} { 
         discard 
      }
   }
}

This working with initial testing. 
  
 Rgds, 
 Mark

Forum Discussion

iRule Newbie - Limit Access to URIs based on IP Source

4 Replies

Recent Discussions

SMS server with BIGIP

F5 terminal - help to run commands - disk space full

Can iRule be used to perform exception of IPI category based on Geolocation

[ASM] - what is "Browser Challange file" ?

LDAPS and renegotiation

Related Content

Federated AWS Console Access Made Easy: F5 BIG-IP Access Policy Manager Access Guided Configurations

How to ensure source address and source port are accepted and traversed properly via F5 SNAT automap

The Power of Source Address

API Security: How to implement API Access Control with F5

F5 BIG-IP Access Policy Manager (APM) - Google Authenticator and Microsoft Authenticator