Hi Richard,
you may try one of the following examples...
Example 1: Using a single datagroup to assign allowed IPs to restricted URIs
Datagroup (DG_MY_URI Type STRING):
"/folder1" := "1.1.1.1 2.2.2.2 3.3.3.3 4.4.4.4"
"/folder2" := "1.1.1.1 2.2.2.2"
"/folder3" := "3.3.3.3 4.4.4.4"
"/folder4" := "5.5.5.5"
iRule:
when HTTP_REQUEST {
if { [set uri_result [class match -value [string tolower [HTTP::path]] starts_with DG_MY_URI]] ne "" } then {
if { [lsearch -inline $uri_result [IP::client_addr]] eq "" } then {
HTTP::respond 403 content "Access denied..." "Content-Type" "text/html"
} else {
Allow trusted IP
}
} else {
Allow requests to unknown URIs
}
}
Example 2: Using two datagroups to support a "kind of" object based ACL.
Datagroup (DG_MY_URI Type STRING):
"/folder1" := "Internal Customer1 Customer2 Customer3"
"/folder2" := "Internal Customer2 Customer3"
"/folder3" := "Internal Customer3"
"/folder4" := "Location1 Location2"
IP Datagroup (DG_MY_IP Type IP-Adrress):
"10.0.0.0/8" := "Internal"
"10.10.10.0/24" := "Internal Location1"
"10.10.11.0/24" := "Internal Location1"
"10.10.12.0/24" := "Internal Location1"
"10.10.13.0/24" := "Internal Location1"
"10.10.14.0/24" := "Internal Location2"
"10.10.15.0/24" := "Internal Location2"
"10.10.16.0/24" := "Internal Location2"
"10.10.17.0/24" := "Internal Location2"
"111.111.111.111" := "Customer1"
"172.16.0.0/12" := "Internal"
"190.190.190.190" := "Customer2"
"192.168.0.0/16" := "Internal"
"212.212.212.212" := "Customer3"
iRule:
when CLIENT_ACCEPTED {
set ip_result [class match -value [IP::client_addr] equals DG_MY_IP]
}
when HTTP_REQUEST {
if { [set uri_result [class match -value [string tolower [HTTP::path]] starts_with DG_MY_URI]] ne "" } then {
if { $ip_result eq "" } then {
Disallow the request
} else {
foreach uri_entry $uri_result {
if { [lsearch -inline $ip_result $uri_entry] ne "" } then {
Allow trusted IP
return
}
}
Disallow the request
}
} else {
Allow requests to unknown URIs
return
}
Trigger the error page...
HTTP::respond 403 content "Access denied..." "Content-Type" "text/html"
}
Cheers, Kai