Forum Discussion

sandy16's avatar
sandy16
Icon for Altostratus rankAltostratus
Apr 28, 2015

Access to VIP by irule for matching a header value OR allowing ips using data-group

Hi experts, we have a requirement in writing an irule that only allows access to the VS when it matches a certain hexa-decimal value in the http_header, example value ='3196E8D30330CA17238FAS013036'. At the same time it should be only allowing IPs from a whitelist datagroup. If it is NOT matching either of these conditions, the connection needs to be dropped. (So it`a a OR for both the conditions) Please advise??

 

application delivery
ASM Advanced WAF
devops
iRules
LTM
security

6 Replies

Sort By
  • DEJ's avatar
    DEJ
    Icon for Nimbostratus rankNimbostratus
    Apr 28, 2015

    Hello,

     

    Depending on your VIP preference. The below irule will drop the traffic if neither value matches. If there is a match it will go to the default pool assigned to the VIP. If you need both values to match change or to and.

     

    when HTTP_REQUEST {
    Check if http_header contains hex code or the client IP is not in the allow list
    if { !(([HTTP::header "name_of_header"] equals "3196E8D30330CA17238FAS013036") or ([class match [IP::client_addr] equals WHITELIST]))} {
    if neither value matches drop traffic
       drop
    }
}
  • sandy16's avatar
    sandy16
    Icon for Altostratus rankAltostratus
    Apr 28, 2015

    thanks, so I have done this (added the pool default and else for drop) but it gives me some errors in the GUI -

     

    when HTTP_REQUEST { Check if http_header contains hex code or the client IP is not in the allow list if { !([HTTP::header "name_of_header"] equals "3196E8D30330CA17238FAS013036" or [class match [IP::client_addr] equals WHITELIST])} { pool default else { if neither value matches drop traffic drop } }

     

    • DEJ's avatar
      DEJ
      Icon for Nimbostratus rankNimbostratus
      Apr 28, 2015
      Hello S, I've updated the iRule a bit. My apologies but I'm pretty much free-handing this iRule (left my laptop at work). A few questions. 1. What header will contain the hex value you are matching against? 2. Have you already created the datagroup you will be using in this iRule? 3. Try the edited code in my original reply. If you still get a GUI error, please post the error.
  • sandy16's avatar
    sandy16
    Icon for Altostratus rankAltostratus
    Apr 28, 2015

    ok, the error i get is: [invalid option "else" must be: member][else] what am i doing wrong?

     

    • DEJ's avatar
      DEJ
      Icon for Nimbostratus rankNimbostratus
      Apr 28, 2015
      Looking at the iRule you pasted in it looks like there may be a close bracket missing in front of else } else
  • sandy16's avatar
    sandy16
    Icon for Altostratus rankAltostratus
    Apr 28, 2015

    ok, i found the issue. the else statement needs to be in the same line as the close bracket. Valid format: } else { drop

     

    Invalid format: else { drop