Forum Discussion

Jeff_Tuthill_10's avatar
Jeff_Tuthill_10
Icon for Nimbostratus rankNimbostratus
Aug 10, 2009

Pool Selection based on client domain name or IP address

So I think this may be an easy one but I am getting stuck on this. I have an application that I want to allow access to if the client has a certain domain name or is coming from a certain IP subnet...otherwise I want to discard the connection.

 

So far I have set up a Data Group with the allowed IP's and set up the irule as such:

 

when HTTP_REQUEST {

 

if { [matchclass [IP::client_addr] equals $::DATA_GROUP_NAME] } {

 

pool pool1

 

} else {

 

discard

 

}

 

}

 

This works fine for the IP addresses but how do I get the domain name working? So my scenario is:

 

Go to pool1 if you are from 10.10.10.0 or 10.10.11.0 or from *.example.com otherwise you get discarded.

 

application delivery
dev
devops
iRules

7 Replies

Sort By
  • dennypayne's avatar
    dennypayne
    Icon for Employee rankEmployee
    Aug 10, 2009
    I'm not aware of any header that a browser normally sends that includes domain name information. What exactly do you mean by "the client has a certain domain name?"

     

     

    There's a Referer header that shows the domain name of the site that provided the link, but that's the only thing I could think of that would include some sort of domain information.

     

     

    Denny
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Aug 10, 2009
    You could check the requested domain in the Host header value. But as Denny suggests, there isn't anything in HTTP that would have a domain associated with it. You could potentially do a reverse DNS lookup to see if there is a reverse DNS record associated with the client IP address.

     

     

    Can you elaborate on the scenario?

     

     

    Aaron
  • Jeff_Tuthill_10's avatar
    Jeff_Tuthill_10
    Icon for Nimbostratus rankNimbostratus
    Aug 11, 2009
    What I mean by the domain name is the network that the client is coming from, i.e. coming from comcast.net or aol.com. So can I have a ruke that says all clients coming from comcast.net use this pool.
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Aug 11, 2009
    There is a default aol datagroup which contains the proxy server IP addresses AOL publishes. If you can get a list of the hosts/subnets that Comcast uses, you could define them in an address type datagroup and check the client IP address against the datagroup.

     

     

    Aaron
  • Jeff_Tuthill_10's avatar
    Jeff_Tuthill_10
    Icon for Nimbostratus rankNimbostratus
    Aug 11, 2009
    So how do I get an iRule to look at two different Data Groups? Here is the scenario:

     

     

    1. Check the IP addresses in data group 1 and send to pool

     

    2. Check the hostnames (string) in data group 2 and send to pool

     

    3. Otherwide discard

     

     

    Would something like this work?:

     

     

    when HTTP_REQUEST {

     

    if { [matchclass [IP::client_addr] equals $::DATA_GROUP_NAME] } {

     

    pool pool1

     

    } else {

     

    if { [matchclass [DNS::name] equals $::DATA_GROUP_NAME2] } {

     

    pool pool1

     

    } else {

     

    discard

     

    }

     

    }

     

  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Aug 11, 2009
    You could either figure out which IP address ranges comcast uses, or you could depend on their reverse DNS records being valid for all client IP addresses. If you use the first option, you'd define a datagroup just like the stock AOL datagroup and check the IP::client_addr against that datagroup: 

     
 when HTTP_REQUEST { 
  
    if { [matchclass [IP::client_addr] equals $::DATA_GROUP_NAME] } { 
       pool pool1 
    } elseif { [matchclass [IP::client_addr] equals $::comcast_ips] } { 
       pool pool1 
    } else { 
       discard 
    } 
 }

    Or you could try to do a reverse DNS lookup using the NAME:: commands:

    NAME: These commands allow you to resolve names using the DNS subsystem configured on BIG-IP.

    http://devcentral.f5.com/wiki/default.aspx/iRules/name

    Try searching the iRules forum for NAME_RESOLVED for some examples. There is also an older Codeshare example which may still be relevant:

    http://devcentral.f5.com/wiki/default.aspx/iRules/DestinationSnatUsingDNS.html

    Aaron
  • Jeff_Tuthill_10's avatar
    Jeff_Tuthill_10
    Icon for Nimbostratus rankNimbostratus
    Aug 12, 2009
    Thanks for the leads hoolio!!!

     

    I am trying this rule but get an error on line 14 "Command not valid in current context"...Can I collect the DNS name and then make a pool assignment based on that within the same iRule?

     

    when HTTP_RESPONSE {

     

    Hold HTTP data until IP address is resolved

     

    HTTP::collect

     

    Start a name resolution on the Client IP address

     

    NAME::lookup [IP::client_addr]

     

    }

     

    when NAME_RESOLVED {

     

    log local0. "client name = >[NAME::response]>"

     

    Release HTTP data once hostname is resolved

     

    HTTP::release

     

    }

     

    when HTTP_REQUEST {

     

    set client [NAME::response]

     

    if {$client contains "domain.com"} {

     

    pool pool1

     

    } else {

     

    discard

     

    }

     

    }