Forum Discussion

JamesR_40280's avatar
JamesR_40280
Icon for Nimbostratus rankNimbostratus
Apr 09, 2008

Restricting Access by IP to different web application

We're using a HA pair of ASM-4100 devices to secure a web application. We have a good policy for outside users that restricts access to general areas. However we also have internal staff that need access to administrative areas. We would like to allow those local users based on a class C IP address range (10.1.1.0) to access the site without the policy that is used by other users. I have tried enabling X-forwarded-for on the http class on the Virtual Server, and then attempting to find the local IP in the host with a HTTP Class Profile that will then send them to a less restrictive ASM class, but have not had any success. I'm not sure I'm giving the HTTP Class Profile the right code in the Hosts area. I'm using (regex) X-Forwarded-For:10.1.1*.

 

 

I've also used several other combinations of regular expressions and pattern strings with no success.

 

 

Is this a reasonable approach to what I'm trying to accomplish? I've seen the iRule samples for IP forwarding to different Virtual Servers, but I want the same virtual server to send traffic to one web application versus another. Also, I'm not sure how to adopt those samples to what we're trying to do.

4 Replies

  • Ideally, matching on the source IP against a list of hosts/networks would be an option on the HTTP class filters. There is an existing 'request for enhancement' asking for this functionality. It would be good to open a case with F5 Support (websupport.f5.com) and ask them to attach your case to the existing request.

    Inserting an XFF header and then using that for HTTP class matching is an interesting idea for how to select an HTTP class based on the client IP address. It does seem to work, if you enable the insertion of XFF or a custom header on the HTTP profile. A filter you can use on the HTTP class is:

    Pattern (not regex): X-Forwarded-For: 192.168.*

    This worked in a quick test.

    However, from a security standpoint, it would be better to use an iRule to remove all instances of the header name you're going to use and then insert the client IP address in the header. This ensures that a malicious client couldn't affect the class selection by inserting their own value in the header. Here's an example:

    
    when HTTP_REQUEST {
        Insert a test header value to verify it's removed by this rule (remove this after testing)
       HTTP::header insert name "X-Forwarded-For" value hacked_value
        Log the current header names
       log local0. "\[HTTP::header names\]: [HTTP::header names]"
        Remove all instances of the existing headers
       while {[HTTP::header exists x-forwarded-for]}{
          log local0. "Current value: \[HTTP::header value x-forwarded-for\]: [HTTP::header value x-forwarded-for]"
           Remove the current header
          HTTP::header remove x-forwarded-for
          log local0. "\[HTTP::header names\]: [HTTP::header names]"
       }
        Insert the actual client IP address in the header
       HTTP::header insert name "X-Forwarded-For" value [IP::client_addr]
    }

    Also, this string matching approach only allows you to match on class A, B, C or hosts. If you wanted to do a more precise match, you could define the hosts/networks in a datagroup, check the client IP address against the class using matchclass (Click here) and then manually select the corresponding HTTP class in an iRule using the HTTP::class command (Click here). Note that any HTTP class you specify must already be configured as a resource of the virtual server. If you take this route and want an example, let us know.

    Thanks,

    Aaron
  • Worked brilliantly. Thank you very much for your assistance. I will enter a web case to pile on the existing 'request for enhancement'.
  • That's good to hear. And thanks for opening a case for the RFE. The more requests F5 gets, the more visibility the CR gets.

     

     

    Thanks,

     

    Aaron
  • 10 get ltm config request

     

    20 google it

     

    30 read hoolios solution

     

    40 profit

     

    50 go 10

     

     

    :-)