Forum Discussion

player_72606's avatar
player_72606
Icon for Nimbostratus rankNimbostratus
Apr 15, 2008

FilterURI to Source IP

Hi,

 

 

I need to config an "Access-list" to permit a specific source-address to a specific uri for web-application management.

 

 

Other traffic to this uri from other source address should be directed to other uri.

 

 

how this can be done?

8 Replies

  • Hi

     

     

    I would modify this from Codeshare

     

    http://devcentral.f5.com/Wiki/default.aspx/iRules/AccessControlBasedOnIP.html

     

     

    You could put the logic in a "HTTP REQUEST" event instead and wrap the if/else in the following (semi Pseudo code - cause I aint that good at iRules yet)...

     

    
    when HTTP_REQUEST{
      if [HTTP::uri:] contains "web/application/management/uri" {
        if { [matchclass [IP::client_addr] equals $::trustedAddresses..........
        }
      }
    }

     

     

    Lookup matchclass in the iRules Wiki for examples of how to use datagroups (easy)

     

     

    Hope this helps

     

    J
  • What's wrong here, parse error :

     

     

    when HTTP_REQUEST {

     

    if {[[HTTP::uri] contains "GIBWeb/Screens/manage/mlogin.aspx" ]}

     

    {if {[matchclass [IP::client_addr] equals $::web_mng]

     

    log local0.info "Allowed client to uri: [IP::client_addr] requesting: [HTTP::uri]"}

     

    {else

     

     

    log local0. "Invalid client IP: [IP::client_addr] - discarding"

     

    discard

     

    }

     

     

    }

     

    }

     

     

  • First some parse error message would be welcome ^^

    You can find those in /var/log/ltm

    Then your braces, brackets are not places properly

    
    when HTTP_REQUEST {
      if {[HTTP::uri] contains "GIBWeb/Screens/manage/mlogin.aspx"} {
       if {[matchclass [IP::client_addr] equals $::web_mng]} {
               log local0.info "Allowed client to uri: [IP::client_addr] requesting: [HTTP::uri]"
       } else {
          log local0. "Invalid client IP: [IP::client_addr] - discarding"
          discard
       }
      }
    }
  • Ok, now that the syntax is legal, the iRule itself doesn't work.

     

     

    It seems that once this code is attached to the VS , all requests to this uri are blocked, the matchclass cannot find a match.
  • What do you have in the $::web_mng class? You can either log it using 'log local0. "\$::web_mng: $::web_mng" or paste it in. $::web_mng should be an address datagroup with a format of:

    
       network 1.0.0.0 mask 255.0.0.0
       network 2.2.0.0 mask 255.255.0.0
       host 3.3.3.3

    If you add an entry for network 0.0.0.0 mask 0.0.0.0, do the requests get sent to the default pool?

    Aaron
  • This is weird...

     

    web_mng has all the networks - 0.0.0.0 / 0.0.0.0

     

    and still there's no match on this matchclass.

     

    The ltm log :

     

     

    "Apr 16 09:11:09 tmm tmm[1648]: 01220001:3: TCL error: uri_filter_sourceip - can't read "::web_mng": no such variable while executing "matchclass [IP::remote_addr] equals $::web_mng"

     

     

    anyone please?
  • The datagroup/class name is case sensitive. Are you sure that the class is named exactly "web_mng"?

     

     

    Aaron
  • Did you create the datagroup using Admin Console >> Local Traffic >> Data Groups > Create > Address ?

     

     

    Could you cut and paste the section of the /config/bigip.conf containing the class, it's probably the only section starting with 'class', something like:

     

     

    class a {

     

    network 1.2.3.4/0

     

    host 1.2.3.4

     

    }