url or host switching based on source-ip
in aFleX
Posted by pwidman
I have a customer who's commercial requirement is to ensure only specific networks (clients) access a host or URL. Today they are using an IRULE
with a class-list to call out the networks that should be matched for a particular host. An example IRULE of what they have is pasted below
when HTTP_REQUEST {
switch [string tolower [HTTP::host]] {
"CLIENT-cms.pwidman.com" { if { [matchclass [IP::client_addr] equals $::CLIENT_allow_list] } {
log local0. "[IP::client_addr] matched CLIENT_allow_list"
pool pool_ivos_CLIENT-cms.pwidman_http
} else {
log local0. "[IP::client_addr] NOT matched CLIENT_allow_list"
discard
}
}
"someotherclient.pwidman.com" { pool pool_ivos_SomeOtherClient.pwidman_http }
"yetanotherclient.int.pwidman.com" { pool pool_ivos_yetanotherclient.pwidman_http }
Since class-lists are not available in the current release of code 2.6.1 do we have to call out each source (network client_addr) that are being called in the class-list in order to get the same results?
I have a customer who's commercial requirement is to ensure only specific networks (clients) access a host or URL. Today they are using an IRULE
with a class-list to call out the networks that should be matched for a particular host. An example IRULE of what they have is pasted below
when HTTP_REQUEST {
switch [string tolower [HTTP::host]] {
"CLIENT-cms.pwidman.com" { if { [matchclass [IP::client_addr] equals $::CLIENT_allow_list] } {
log local0. "[IP::client_addr] matched CLIENT_allow_list"
pool pool_ivos_CLIENT-cms.pwidman_http
} else {
log local0. "[IP::client_addr] NOT matched CLIENT_allow_list"
discard
}
}
"someotherclient.pwidman.com" { pool pool_ivos_SomeOtherClient.pwidman_http }
"yetanotherclient.int.pwidman.com" { pool pool_ivos_yetanotherclient.pwidman_http }
Since class-lists are not available in the current release of code 2.6.1 do we have to call out each source (network client_addr) that are being called in the class-list in order to get the same results?
0
Comments
Hi,
Looking at the message:
1. You have an iRule
That iRule looks at the "host" and:
. if host = CLIENT-cms.pwidman.com, you go to the pool "pool_ivos_CLIENT-cms.pwidman_http"
. otherwise you drop the request
2. You have a Class-List
That's not in your config displayed but I understand you also have a Class List per client with their public IP addresses and:
. if the source-IP belongs to that class list => you do the iRules
Today (2.6.1) as you noticed we can do the "step1" but AX is missing step2.
Important Note: That piece will be part of 2.6.2 planned very soon (Q4'2011). And if required we can give you under NDA a beta code as soon as today
Waiting for that 2.6.2 release as you said, you have to do the "step2" in the aFleX.
Here is a example on how to do it:
Code:
when HTTP_REQUEST { # Customer1 if { [IP::addr [IP::client_addr] equals 10.10.10.0/24] } { if {[string tolower [HTTP::host] equals "client-cms.pwidman.com")} { log local0. "[IP::client_addr] matched CLIENT_allow_list" pool pool_ivos_CLIENT-cms.pwidman_http } else { log local0. "[IP::client_addr] NOT matched CLIENT_allow_list" discard } } # Customer2 if { [IP::addr [IP::client_addr] equals 20.20.20.0/24] } { if {[string tolower [HTTP::host] equals " someotherclient.pwidman.com")} { log local0. "[IP::client_addr] matched XYZ_allow_list" pool pool_ivos_XYZ-cms.pwidman_http } else { log local0. "[IP::client_addr] NOT matched XYZ_allow_list" discard } } } etc
From the above I have built the below (might work?). I am not clear if the syntax of the condition is in fact grabbing all the IP address with in this range or doing a string compare (and this failing to ever go to a pool). Is it a string compare and I need some other syntax to hit true on an IP within the network range?
when HTTP_REQUEST {
# 192.168.0.0
if { [IP::addr [IP::client_addr] equals 192.168.0.0/16] } {
if { [HTTP::uri] equals "/" } {
HTTP::redirect https://[HTTP::host]/login.html
}
pool sg_internal
}
# 10.0.0.0
if { [IP::addr [IP::client_addr] equals 10.0.0.0/8] } {
if { [HTTP::uri] equals "/" } {
HTTP::redirect https://[HTTP::host]/login.html
}
pool sg_internal
}
HTTP::redirect www.google.com/
}
The script "[IP::addr [IP::client_addr] equals 192.168.0.0/16]" is not a string compare, but really an IP address check.
So this one above will get the IP address 192.168.10.15 but also 192.168.35.245, etc.
So you aFleX looks pretty good to me
Dimitri
Thanks - it ended up there was an odd error in my larger version. The GUI accepted the code but it would not execute. Loading it into notepad++ helped me sort out the { } combinations.