Restrict access to nodes in a pool after pool is selected.

Hi Bob,

Seems like the easiest thing to do would be to create 2 more pools, one with the "non-restricted" members only and a second pool with only the "restricted" members, then you can do a nested if to take care of this.

Something like (I have not checked the syntax of this on an actual box):

when HTTP_REQUEST {
if { [findstr [HTTP::payload] "log local0. "MULTICARD_AUTH Found sending request to TIBCO Server."
   if { [IP::client_addr] equals x.x.x.x } {
    pool soaq-ccauth-restricted
   } else {
     pool soaq-ccauth-open
   }
} else {
log local0. "String not found sending to Webmethods only pool."
pool wbomxrealq_5080
}
}

I can't think of a good way to apply an ACL to only some members of a pool but maybe I'm missing something...

Denny

Thanks for your input Denny. Your input gave me an idea. I've modified the rule to look like this:

 

 

when HTTP_REQUEST {

 

 

After the client connects, inspect the payload and look for MUULTICARD_AUTH.

 

if { [findstr [HTTP::payload] " If the string is found then send a log stating that and send it to pool with Tibco servers in it.

 

log local0. "MULTICARD_AUTH Found sending request to TIBCO Server."

 

pool soaq-ccauth

 

If the string isn't found then we direct them to a pool of nothing but Webmethods servers in it.

 

} else {

 

log local0. "String not found sending to Webmethods only pool."

 

pool wbomxrealq_5080

 

}

 

 

}

 

when LB_SELECTED {

 

if { [matchclass [LB::server addr] equals $::tibco_servers ]} {

 

log local0. "Sent to Tibco." } {

 

if {not [matchclass [IP::client_addr] equals $::tibco_datagroup]} {

 

drop

 

log local0. "Dropping client" }

 

 

}

 

}

 

FYI, after some more testing this iRule seems to do the trick.

 

 

Tibco iRule v1.3 - 11/19/2007

 

 

This iRule will search for a string in the payload of an HTTP request and make a decision

 

on which pool to send the request to and optionally log to /var/log/ltm . IT will also

 

verify that the client connecting is a trusted IP address.

 

 

 

when HTTP_REQUEST {

 

 

After the client connects, inspect the payload and look for MUULTICARD_AUTH.

 

 

if { [findstr [HTTP::payload] " If the string is found then send a log stating that and send it to pool with Tibco servers in it.

 

log local0. "MULTICARD_AUTH Found sending request to TIBCO Pool, server [LB::server addr]."

 

pool soaq-ccauth

 

If the string isn't found then we direct them to a pool of nothing but Webmethods servers in it.

 

} else {

 

log local0. "String not found sending to Webmethods only pool."

 

pool wbomxrealq_5080

 

}

 

 

Once the load balancer makes a decision to send the request to a pool member, we check

 

to see if the pool member is a Tibco server. If the member is a Tibco server then we

 

check to see if the client is in the allowed hosts datagroup. If the client doesn't exist,

 

then the connection is dropped.

 

}

 

when LB_SELECTED {

 

Get node address and check it against the tibco_servers class.

 

Get client IP address and check it against the tibco_datagroup class

 

If the client IP isn't in the class the connection gets dropped and logged.

 

if { [matchclass [LB::server addr] equals $::tibco_servers ] and

 

not ([matchclass [IP::client_addr] equals $::tibco_datagroup])} {

 

drop

 

log local0. "Client, [IP::client_addr], not authorized to connect to Tibco server [LB::server addr]." } else {

 

Log which member/node in the pool the client was sent to.

 

log local0. "Sent request from [IP::client_addr] to server [LB::server addr]" }

 

}