iRule to allow traffic based on certain URI and remote IP, allow all if URI doesn't match
I'm looking for an iRule that will be applied to a multitenant environment, where each client will have their own set of Authorised IPs.
Our application will have a "common" URI in web requests for all tenants but the hostname differs. So there will be a pool mapping at first based on the host.
- We need to allow web requests with a "certain URI" for authorized IPs.
- Deny web requests with the above URI if remote IP doesn't match authorized IPs.
- Allow all web requests that do not match the above URI, it needs to be publicly available
3a. If the allowed URI is "/store/coffee", then starbucks.net/store/coffee/mug.html should work only for whitelisted IPs. Unauthorized IPs for the same web request should get a 403 error.
3b. If the web request is starbucks.net/AboutUs.html or starbucks.net/contactus.aspx, then it should be publicly available. No restrictions.
I have below iRule which is partially working. However my point 3(b) doesn't work, I get an IE error when the URI is not matching the allowed URI. Please advise.
when HTTP_REQUEST {
set pool [class match -value -- [HTTP::host][HTTP::uri] starts_with datagroup_pools]
if { ([class match [string tolower [HTTP::uri]] contains datagroup_allowed_uri]) } {
set whitelist [class match -value -- [HTTP::host] equals datagroup_whitelistgrp]
set ipaddr [IP::remote_addr]
set blacklisted "false"
if {$whitelist ne ""} {
if {!([class match $ipaddr equals $whitelist])} {
if {!([matchclass $ipaddr equals office_ips])} {
set blacklisted "true"
HTTP::respond 403 content "<html code for custom error page>"
}
}
}
}
if {$blacklisted ne "true"} {
if {$pool ne ""} {
if {[active_members $pool] == 0} {
HTTP::respond 500 content "<html code for custom error page>"
} else {
pool $pool
}
} else {
HTTP::respond 404 content "<html code for custom error page>"
}
}
}