iRule – IP Restrict Internal Applications

Fork in the road

In some scenarios it is necessary to limit access to applications behind the F5. Lets say you are hosting an application that is load balanced and is publicly and privately accessible on the same virtual-server. This can be accomplished by using an iRule.

In my scenario I need to limit access to applications running on an HTTP (non-SSL/TLS) virtual-server so that internal clear-text calls are permitted on the LAN, but users on the Internet are redirected to the same resource on HTTPS. My private networks all start with 10.* so it was fairly easy for me to write a rule to accomplish this. The rule can be customized to fit many different scenarios.

In summary my logic first inspects the IP address of the clients request. If it starts with 10., process the request by looking at URI (virtual-directory). If there is a successful match, send to the appropriate server. If not, redirect the full HOST and URI request from the client to HTTPS.

Secondarily if the clients IP does not match my public range, drop requests to certain resources that are not accessible at all from the Internet and redirect the rest to HTTPS as we did before.

 when HTTP_REQUEST {
    if { [IP::client_addr] starts_with 10. } {
       switch -glob [string tolower [HTTP::uri]] {
          "/app1*" -
          "/app2*" {
                pool POOL-APP-HTTP
                persist none
          }
          "/fs*" {
                pool POOL-FS-HTTP
                persist none
          }
          default {
                HTTP::redirect https://[getfield [HTTP::host] ":" 1][HTTP::uri]
          }
      }
 }
 else {
    switch -glob [string tolower [HTTP::uri]] {
       "/internal1*" {
          drop
       }
       default {
          HTTP::redirect https://[getfield [HTTP::host] ":" 1][HTTP::uri]
       }
    }
 }
}
Advertisements
iRule – IP Restrict Internal Applications

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s