Forum Discussion

MegaN00B_270205's avatar
MegaN00B_270205
Icon for Nimbostratus rankNimbostratus
Feb 07, 2017

using irule and datagroup to allow/restric access to http::path

I want to use an irule to select the pool based on http::path; and i also need to restrict access to certain parts (namely /em and /console ) with an IP-allowed datagroup. The irule appears to not work & i dont know what is going wrong. If i remove the 'datagroup' part it works; but everyone is allowed access. i need to restrict that to /em and /console.

 

In the OBIEE-Allowed_access is 1 datagroup (network) witth in in 192.168.0.0/16 & 1 dedicated test ip.

 

when HTTP_REQUEST { if { [HTTP::path] equals "/" } { HTTP::redirect "/analytics/" } if { [HTTP::path] starts_with "/analytics" } { log local0. " .. starts_with /analytics" pool BI02-9003-Pool } if { not ([class match [IP::client_addr] equals OBIEE_Allowed_Access]) } { log local0. "[IP::client_addr] is not permitted to site /EM or /CONSOLE" drop } if { [HTTP::path] starts_with "/em" } { log local0. " .. starts_with /em" pool BI02-9001-Pool } if { [HTTP::path] starts_with "/console" } { log local0. " .. starts_with /console" pool BI02-9001-Pool } }

 

Thanks!

 

BIG-IP
LTM
security

1 Reply

Sort By
  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Feb 07, 2017

    Hi MegaNoob,

    you may try the iRule below...

    when HTTP_REQUEST { 
    set low_path [string tolower [HTTP::path]]
    if { $low_path equals "/" } then { 
        HTTP::redirect "/analytics/" 
    } elseif { $low_path starts_with "/analytics" } then { 
        log local0. " .. starts_with /analytics" 
        pool BI02-9003-Pool 
    } elseif { ( $low_path starts_with "/em" )
            or ( $low_path starts_with "/console" ) } then {
        if { [class match [IP::client_addr] equals OBIEE_Allowed_Access] } then {
             Allow trusted clients
            log local0. "[IP::client_addr] is permitted to site /EM or /CONSOLE"
            pool BI02-9001-Pool
        } else {
             Drop untrusted clients
            log local0. "[IP::client_addr] is not permitted to site /EM or /CONSOLE"
            drop
        }
    } else {
         You may add a drop or HTTP::respond here if you need to deny access outside of /em, /console or /analytics
    }
}

    Note: The iRule uses a 

    [string tolower [HTTP::path]]
    syntax to make the rule-set case-insensitiv. In addition to that the iRule now uses a 
    if...elseif...else
    notation, so that the execution will stop if the requested path already matched one of your rule-sets.

    Cheers, Kai