So, I had a cool question asked to me today regarding an F5 VIP used by a web application.
“Can we block a certain URI from external client’s but allow internal client’s to visit it?”
Of course there is!! Now there are probably a billion different ways to do this, but this is what I came up with.
First the condition, we want only 10.0.0.0/8 hosts to be able to access this restricted URI. Anyone else should be dropped. I say dropped and not denied, because that way if a user tries to navigate to the URI that shouldn’t it just timesout, and doesn’t give them any more information then they need. Second, I want to log blocks, so I can see it working and get an idea of how many times it gets hit. Lastly we need to know the Virtual server to apply the iRule to.
Here is the finished iRule, hope it helps!
when RULE_INIT {
set static::drop_notallowed 0
}
when CLIENT_ACCEPTED {
if {not [IP::addr [IP::client_addr] equals 10.0.0.0/8]} {
log local0. "[IP::client_addr] does not match 10.0.0.0/8 AND access URI = /restricted-URI/"
set static::drop_notallowed 1
}
}
when HTTP_REQUEST {
if { [string tolower [HTTP::uri]] starts_with "/restricted-URI" }{
if {$static::drop_notallowed==1}{
drop
}
}
}
NOTICE: The above rule can be reworked to be more granular, and also more specific with the source IP’s of the client. If you need to list multiple host IPs that cannot be easily summarized like above, consider using data groups on the F5. These are like arrays where you can feed it multiple data points, and the iRule will look through it when it performs the condition check.
