Forum Discussion

srandhawa_75222's avatar
srandhawa_75222
Icon for Nimbostratus rankNimbostratus
Oct 14, 2013

How to create iRule to grant additional access to a specific client

Hi...I have a pool which is hosting URI accessible to the general public. But I want to now grant additional access to a particular vendor to the following additional URIs /CustomerInformationService/V1/CustomerInformationService.svc ProductService/V1/ProductService.svc

 

The vendor will be accessing the same VIP and the same Pool. In other words the vendor will have the same access to web sites hosted by the members but will also need to have additional access per above

 

application delivery
devops
iRules

4 Replies

Sort By
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Oct 14, 2013

    How would an iRule help here? Is there currently one in place that restricts access?

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Oct 14, 2013

    If I may add, authentication, or some form of identity validation is required for this to work. If you validate the request as coming from a particular vendor, either through an authenticated session, or perhaps a known IP range, then the iRule would be pretty straight forward. Example:

    when HTTP_REQUEST { 
    if { ( [class match [string tolower [HTTP::uri]] starts_with my_uri_dg] ) and ( $vendor equals "my_special_vendor" ) } {
        return
    } else {
        drop
         or
         HTTP::respond 200 content "...no access..."
    }
}

    where "my_uri_dg" is a string-based data group with the URIs you want to protect. Example:

    /customerinformationservice/v1/customerinformationservice.svc := 1 
/productservice/v1/productservice.svc := 1

    You could optionally define which vendors had access to specific URIs. Ultimately though, 

    and ( $vendor equals "my_special_vendor" )

    you have to figure out how to differentiate one HTTP request from another.

  • srandhawa_75222's avatar
    srandhawa_75222
    Icon for Nimbostratus rankNimbostratus
    Oct 15, 2013

    Hi...I am new to iRules so my iRule construct is a bit basic, but here is the iRule

     

    when CLIENT_ACCEPTED { if { [[IP::remote_addr] equals 203.45.160.26] || [[IP::remote_addr] equals 203.45.160.28] || [[IP::remote_addr] equals 203.45.160.31] } { pool bat1_test1 } else { pool bat1_test2 } }

     

    Basically the idea is if the source IP address is from the 3 specific addresses it should sent the traffic to bat1_test1. All other traffic should go to bat1_test2. The question is the Virtual Server (VIP) has only one default pool bat1_test1, so I don't know how the irule will divert to bat1_test2 pool. When I applied the iRule, the normal traffic (i.e. access to bat1_test2) also stops working

     

  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Oct 15, 2013

    I'd suggest you change the logic a little and use a data group to keep the code simple. I'd make bat1_test2 the VS default pool and use this iRule after creating a DG call 'allowed_ips' with those three addresses in it;

     

    when CLIENT_ACCEPTED { 
 if { [class match [IP::client_addr] equals allowed_ips] } {
  pool bat1_test1 }
}