url or host switching based on source-ip

[Deleted User] · October 2011

Posted by pwidman

I have a customer who's commercial requirement is to ensure only specific networks (clients) access a host or URL. Today they are using an IRULE
with a class-list to call out the networks that should be matched for a particular host. An example IRULE of what they have is pasted below

when HTTP_REQUEST {
switch [string tolower [HTTP::host]] {
"CLIENT-cms.pwidman.com" { if { [matchclass [IP::client_addr] equals $::CLIENT_allow_list] } {
log local0. "[IP::client_addr] matched CLIENT_allow_list"
pool pool_ivos_CLIENT-cms.pwidman_http
} else {
log local0. "[IP::client_addr] NOT matched CLIENT_allow_list"
discard
}
}
"someotherclient.pwidman.com" { pool pool_ivos_SomeOtherClient.pwidman_http }
"yetanotherclient.int.pwidman.com" { pool pool_ivos_yetanotherclient.pwidman_http }

Since class-lists are not available in the current release of code 2.6.1 do we have to call out each source (network client_addr) that are being called in the class-list in order to get the same results?

[Deleted User] · October 2011

Posted by ddesmidt

Hi,

Looking at the message:

1. You have an iRule
That iRule looks at the "host" and:
. if host = CLIENT-cms.pwidman.com, you go to the pool "pool_ivos_CLIENT-cms.pwidman_http"
. otherwise you drop the request

2. You have a Class-List
That's not in your config displayed but I understand you also have a Class List per client with their public IP addresses and:
. if the source-IP belongs to that class list => you do the iRules

Today (2.6.1) as you noticed we can do the "step1" but AX is missing step2.
Important Note: That piece will be part of 2.6.2 planned very soon (Q4'2011). And if required we can give you under NDA a beta code as soon as today

Waiting for that 2.6.2 release as you said, you have to do the "step2" in the aFleX.
Here is a example on how to do it:

Code:

when HTTP_REQUEST {
# Customer1
if { [IP::addr [IP::client_addr] equals 10.10.10.0/24] } {
if {[string tolower [HTTP::host] equals "client-cms.pwidman.com")} {
log local0. "[IP::client_addr] matched CLIENT_allow_list"
pool pool_ivos_CLIENT-cms.pwidman_http
} else {
log local0. "[IP::client_addr] NOT matched CLIENT_allow_list"
discard
}
}

# Customer2
if { [IP::addr [IP::client_addr] equals 20.20.20.0/24] } {
if {[string tolower [HTTP::host] equals " someotherclient.pwidman.com")} {
log local0. "[IP::client_addr] matched XYZ_allow_list"
pool pool_ivos_XYZ-cms.pwidman_http
} else {
log local0. "[IP::client_addr] NOT matched XYZ_allow_list"
discard
}
}
}

etc

mcyork · October 2011

Posted by mcyork

From the above I have built the below (might work?). I am not clear if the syntax of the condition is in fact grabbing all the IP address with in this range or doing a string compare (and this failing to ever go to a pool). Is it a string compare and I need some other syntax to hit true on an IP within the network range?

when HTTP_REQUEST {
# 192.168.0.0
if { [IP::addr [IP::client_addr] equals 192.168.0.0/16] } {
if { [HTTP::uri] equals "/" } {
HTTP::redirect https://[HTTP::host]/login.html
}
pool sg_internal
}

# 10.0.0.0
if { [IP::addr [IP::client_addr] equals 10.0.0.0/8] } {
if { [HTTP::uri] equals "/" } {
HTTP::redirect https://[HTTP::host]/login.html
}
pool sg_internal
}

HTTP::redirect www.google.com/
}

[Deleted User] · October 2011

Posted by ddesmidt

The script "[IP::addr [IP::client_addr] equals 192.168.0.0/16]" is not a string compare, but really an IP address check.
So this one above will get the IP address 192.168.10.15 but also 192.168.35.245, etc.

So you aFleX looks pretty good to me

Dimitri

mcyork · November 2011

Posted by mcyork

Thanks - it ended up there was an odd error in my larger version. The GUI accepted the code but it would not execute. Loading it into notepad++ helped me sort out the { } combinations.

url or host switching based on source-ip

Comments