Tyler_Hardison_
Jan 24, 2014Nimbostratus
Sideband for connections that are not going to a pool?
Hi There!
I'm trying to inject a sideband check that queries an internal server for dns blacklisting on the source IP addresses. Because I'm not using pools (low traffic legacy websites) I'm trying...
- Jan 24, 2014
I would use a datagroup for the URL lookup instead of statically modifying the iRule every time you need to make a change. You could do the side band connection in client_accepted like kevin states, then you don't have to continue processing for blacklisted IPs.
when CLIENT_ACCEPTED { set clientAddress [IP::client_addr] Do sideband connection like described here https://devcentral.f5.com/wiki/irules.sideband-connection-http-example.ashx if { sideband tells us this is a bad IP address } { Drop it on the floor. drop } If it's not a blacklisted IP we let it continue } when HTTP_REQUEST { class match here for destination IP based on [HTTP::host] https://devcentral.f5.com/wiki/irules.class.ashx }
Here's a more elaborate access control iRule which uses data groups instead of a sideband connection
https://devcentral.f5.com/wiki/iRules.AccessControlBasedOnNetworkOrHost.ashx