url or host switching based on source-ip

Posted by pwidman

I have a customer who's commercial requirement is to ensure only specific networks (clients) access a host or URL. Today they are using an IRULE
with a class-list to call out the networks that should be matched for a particular host. An example IRULE of what they have is pasted below

when HTTP_REQUEST {
switch [string tolower [HTTP::host]] {
"CLIENT-cms.pwidman.com" { if { [matchclass [IP::client_addr] equals $::CLIENT_allow_list] } {
log local0. "[IP::client_addr] matched CLIENT_allow_list"
pool pool_ivos_CLIENT-cms.pwidman_http
} else {
log local0. "[IP::client_addr] NOT matched CLIENT_allow_list"
discard
}
}
"someotherclient.pwidman.com" { pool pool_ivos_SomeOtherClient.pwidman_http }
"yetanotherclient.int.pwidman.com" { pool pool_ivos_yetanotherclient.pwidman_http }

Since class-lists are not available in the current release of code 2.6.1 do we have to call out each source (network client_addr) that are being called in the class-list in order to get the same results?

Comments

  • edited July 2022
    Posted by ddesmidt

    Hi,

    Looking at the message:

    1. You have an iRule
    That iRule looks at the "host" and:
    . if host = CLIENT-cms.pwidman.com, you go to the pool "pool_ivos_CLIENT-cms.pwidman_http"
    . otherwise you drop the request

    2. You have a Class-List
    That's not in your config displayed but I understand you also have a Class List per client with their public IP addresses and:
    . if the source-IP belongs to that class list => you do the iRules

    Today (2.6.1) as you noticed we can do the "step1" but AX is missing step2.
    Important Note: That piece will be part of 2.6.2 planned very soon (Q4'2011). And if required we can give you under NDA a beta code as soon as today  

    Waiting for that 2.6.2 release as you said, you have to do the "step2" in the aFleX.
    Here is a example on how to do it:

    Code:

    when HTTP_REQUEST { # Customer1 if { [IP::addr [IP::client_addr] equals 10.10.10.0/24] } { if {[string tolower [HTTP::host] equals "client-cms.pwidman.com")} { log local0. "[IP::client_addr] matched CLIENT_allow_list" pool pool_ivos_CLIENT-cms.pwidman_http } else { log local0. "[IP::client_addr] NOT matched CLIENT_allow_list" discard } } # Customer2 if { [IP::addr [IP::client_addr] equals 20.20.20.0/24] } { if {[string tolower [HTTP::host] equals " someotherclient.pwidman.com")} { log local0. "[IP::client_addr] matched XYZ_allow_list" pool pool_ivos_XYZ-cms.pwidman_http } else { log local0. "[IP::client_addr] NOT matched XYZ_allow_list" discard } } } etc
  • mcyorkmcyork Member ✭✭
    edited February 2014
    Posted by mcyork

    From the above I have built the below (might work?). I am not clear if the syntax of the condition is in fact grabbing all the IP address with in this range or doing a string compare (and this failing to ever go to a pool). Is it a string compare and I need some other syntax to hit true on an IP within the network range?

    when HTTP_REQUEST {
    # 192.168.0.0
    if { [IP::addr [IP::client_addr] equals 192.168.0.0/16] } {
    if { [HTTP::uri] equals "/" } {
    HTTP::redirect https://[HTTP::host]/login.html
    }
    pool sg_internal
    }

    # 10.0.0.0
    if { [IP::addr [IP::client_addr] equals 10.0.0.0/8] } {
    if { [HTTP::uri] equals "/" } {
    HTTP::redirect https://[HTTP::host]/login.html
    }
    pool sg_internal
    }

    HTTP::redirect www.google.com/
    }
  • edited July 2022
    Posted by ddesmidt

    The script "[IP::addr [IP::client_addr] equals 192.168.0.0/16]" is not a string compare, but really an IP address check.
    So this one above will get the IP address 192.168.10.15 but also 192.168.35.245, etc.

    So you aFleX looks pretty good to me 


    Dimitri
  • mcyorkmcyork Member ✭✭
    edited February 2014
    Posted by mcyork

    Thanks - it ended up there was an odd error in my larger version. The GUI accepted the code but it would not execute. Loading it into notepad++ helped me sort out the { } combinations.
Sign In or Register to comment.