• BIGIP F5 iRule — Block URI for external Client’s only

    So, I had a cool question asked to me today regarding an F5 VIP used by a web application.
    “Can we block a certain URI from external client’s but allow internal client’s to visit it?”

    Of course there is!! Now there are probably a billion different ways to do this, but this is what I came up with.

    First the condition, we want only 10.0.0.0/8 hosts to be able to access this restricted URI. Anyone else should be dropped. I say dropped and not denied, because that way if a user tries to navigate to the URI that shouldn’t it just timesout, and doesn’t give them any more information then they need. Second, I want to log blocks, so I can see it working and get an idea of how many times it gets hit. Lastly we need to know the Virtual server to apply the iRule to.

    Here is the finished iRule, hope it helps!

    when RULE_INIT {
    	set static::drop_notallowed 0
    
    }
    
    when CLIENT_ACCEPTED {
    	if {not [IP::addr [IP::client_addr] equals 10.0.0.0/8]} {
                    log local0. "[IP::client_addr] does not match 10.0.0.0/8 AND access URI = /restricted-URI/"
    		set static::drop_notallowed 1
    	}
    }
    
    when HTTP_REQUEST {
    	if { [string tolower [HTTP::uri]] starts_with "/restricted-URI" }{
    		if {$static::drop_notallowed==1}{
    			drop
    		}
    	}
    
    }

     

    [Read More…]