Forum Discussion

Sabir_Alvi's avatar
Sabir_Alvi
Icon for Altocumulus rankAltocumulus
Nov 26, 2021

iRule to allow traffic based on certain URI and remote IP, allow all if URI doesn't match

I'm looking for an iRule that will be applied to a multitenant environment, where each client will have their own set of Authorised IPs.

Our application will have a "common" URI in web requests for all tenants but the hostname differs. So there will be a pool mapping at first based on the host.

  1. We need to allow web requests with a "certain URI" for authorized IPs.
  2. Deny web requests with the above URI if remote IP doesn't match authorized IPs.
  3. Allow all web requests that do not match the above URI, it needs to be publicly available

 

3a. If the allowed URI is "/store/coffee", then starbucks.net/store/coffee/mug.html should work only for whitelisted IPs. Unauthorized IPs for the same web request should get a 403 error.

 

3b. If the web request is starbucks.net/AboutUs.html or starbucks.net/contactus.aspx, then it should be publicly available. No restrictions.

 

I have below iRule which is partially working. However my point 3(b) doesn't work, I get an IE error when the URI is not matching the allowed URI. Please advise. 

 

when HTTP_REQUEST {
  set pool [class match -value -- [HTTP::host][HTTP::uri] starts_with datagroup_pools]
  if { ([class match [string tolower [HTTP::uri]] contains datagroup_allowed_uri]) } {
	set whitelist [class match -value -- [HTTP::host] equals datagroup_whitelistgrp]
	set ipaddr [IP::remote_addr]
	set blacklisted "false"
		if {$whitelist ne ""} {
			if {!([class match $ipaddr equals $whitelist])} {
			if {!([matchclass $ipaddr equals office_ips])} {
			set blacklisted "true"
			HTTP::respond 403 content "<html code for custom error page>"
			}
		}
		}
	}
		if {$blacklisted ne "true"} {
			if {$pool ne ""} {
			if {[active_members $pool] == 0} {
          HTTP::respond 500 content "<html code for custom error page>"
        } else {
          pool $pool
        }
      } else {
        HTTP::respond 404 content "<html code for custom error page>"
      }
    }
}

 

4 Replies

  • not sure which of your points is 3(b), there don't appear numbers for me. you might want to rework your introduction. or explain on which like it fails now.

     

    for the rest i at least notice you don't setup office_ips in this section, might be done earlier of course.

     

     

  • It's not clear from the requirement if other host (other than starbucks.net) need any IP restrictions for certain uri, but considering they don't need it, we can simplify iRule as below. It also has mapping from host name to pool in the same iRule.

     

     

    when HTTP_REQUEST {
        switch -glob [string tolower [HTTP::host]] {
    	  "www.abc.com"
    	   {
               pool www.abc.com_443
               }  
    	   "starbucks.net"
    	   {
    	     pool starbucks.net_443
    	   } default {
              reject
          }
        }
    	switch -glob [string tolower [HTTP::uri]] {
     
        "/store/coffee/mug.html"	
    	 {
    	    if { [string tolower [HTTP::host]] eq "starbucks.net" and ![class match [IP::client_addr] equals datagroup_whitelist]} {
    	     HTTP::respond 403 content "<html code for custom error page>"
    	    } else {
    	     return
    	    }
    	 } default {
              return
          }
        }
     }

     

     

  • Glad it's working. you can mark this question as complete.