Forum Discussion

parvez_70211's avatar
parvez_70211
Icon for Nimbostratus rankNimbostratus
Apr 10, 2017

Using X-Forwarded-for to block Clients based on URI information

I have task to block client IP's based on URI information but the catch here is that the actual IP's are present on HTTP header (X-forwarded-For) which are all coming from Akamai.

Eg: I have approx 40 IP's which needs to be allowed to access any URI that starts with "/en_US/HHCM*". Rest needs to be blocked.

";

I had written an irule to block directy the IP but I need to modify it. Can you help?

when HTTP_REQUEST {

 Check for requests to the restricted URI
if { [string tolower [HTTP::uri]] starts_with "/en_US/HHCM"} {

     Check if the client IP is not in the allowed clients data group
    if {[class match [IP::client_addr] equals AllowList]}{


                    log local0. "dropped [IP::client_addr]"

         Reset the connection
            drop                            
    }

}

}

8 Replies

  • How do you like to modify your iRule? The code snippet you have provided looks fine syntax wise, but it blocks access from IP's in your AllowList. How about something like this:-

     

    when HTTP_REQUEST {
      if { [HTTP::uri] equals "/en_US/HHCM" && !([IP::addr [IP::client_addr] equals AllowList]) } {
          log output
         reject
      } else {
          Send traffic to your desired server pool
      }
    }
    

    Just an example. Correct me if I misunderstood your query.

     

    Connection from client IP's [IP::client_addr] that are not in your data group(AllowList) gets blocked.

     

    • parvez_70211's avatar
      parvez_70211
      Icon for Nimbostratus rankNimbostratus

      But I would need to block actual client IP based on HTTP-X-Forwarded IP and not at [IP::client_addr]. So I would need to extract the IP present on the header first and then match against our allowed IP data group.

       

    • parvez_70211's avatar
      parvez_70211
      Icon for Nimbostratus rankNimbostratus

      Connection from client IP's that are not in your data group(AllowList) gets blocked. - correct

       

    • rsacheen_310098's avatar
      rsacheen_310098
      Icon for Nimbostratus rankNimbostratus

      This might help. Looks like something you are looking for. Have a look!

       

      https://devcentral.f5.com/s/feed/0D51T00006i7MAUSA2

       

  • How do you like to modify your iRule? The code snippet you have provided looks fine syntax wise, but it blocks access from IP's in your AllowList. How about something like this:-

     

    when HTTP_REQUEST {
      if { [HTTP::uri] equals "/en_US/HHCM" && !([IP::addr [IP::client_addr] equals AllowList]) } {
          log output
         reject
      } else {
          Send traffic to your desired server pool
      }
    }
    

    Just an example. Correct me if I misunderstood your query.

     

    Connection from client IP's [IP::client_addr] that are not in your data group(AllowList) gets blocked.