Adam_102117
Dec 04, 2008Nimbostratus
Whitelist based on source IP and URI
Good Morning,
I have been asked to restrict access to multiple apps hosted under the same VS, with different access lists for each. I wrote an iRule that uses if/elseif/else blocks, and accesses several different datagroups, but I have been advised that the "switch" command is more economical on the system. Can I get some input on the best way to do this? Most of the examples I have seen use if statements, so I was assuming that was the way to go. If someone can give me an opinion on this iRule, and whether it can be tightened up with the "switch" command I would appreciate it. I have all of the datagroups created, and have ordered the statements in order of which one is the most frequent case.
when HTTP_REQUEST {
if {([matchclass [IP::client_addr] equals $::corporate_whitelist_dg])}{
}
elseif {([matchclass [HTTP::uri] starts_with "/ProSuiteWeb" ]) and ([matchclass [IP::client_addr] equals $::prosuite_prosuiteweb])}{
}
elseif {([matchclass [HTTP::uri] starts_with "/RealTimeMatchV1" ]) and ([matchclass [IP::client_addr] equals $::prosuite_realtimematchv1])}{
}
elseif {([matchclass [HTTP::uri] starts_with "/QuizGraderV1" ]) and ([matchclass [IP::client_addr] equals $::prosuite_quizgraderv1])}{
}
elseif {([matchclass [HTTP::uri] starts_with "/SprintWeb" ]) and ([matchclass [IP::client_addr] equals $::prosuite_sprintweb])}{
}
elseif {([matchclass [HTTP::uri] starts_with "/TemplateV1" ]) and ([matchclass [IP::client_addr] equals $::prosuite_templatev1])}{
}
elseif {([matchclass [HTTP::uri] starts_with "/IdentityManagerV1" ]) and ([matchclass [IP::client_addr] equals $::prosuite_identitymanagerv1])}{
}else {
discard
log local0.info "Blocked-client [IP::remote_addr] requesting: [HTTP::uri]"
}
}
Thanks in advance.
Adam