Restrict access to a website via external source_address & by using a ltm data-group.
1st , craft a DATA_GROUP and specify the networks CIDRs blocks
ltm data-group MYAPPROVEDNETS {
records {
6.1.9.0/17 { }
195.3.1.0/20 { }
1.1.1.1/32 { }
10.17.1.0/24 { }
}
type ip
}
2nd
Build a simple iRule and reference the data-group for the client_address.
ltm rule MYACCESSRULE {
when CLIENT_ACCEPTED {
if { not ( [class match [IP::client_addr] equals MYAPPROVEDNETS ) } {
reject
}
}
when HTTP_REQUEST {
switch [HTTP::host] {
"GHjdev.examples.com" {
persist cookie insert "HjDEVWEBS01" "1d 00:00:00"
pool pool.GHjdev.examples.com
}
"GHjdev-admin.examples.com" {
persist cookie insert "HjDEVWEBS03" "1d 00:00:00"
pool pool.GHjdev-admin.examples.com
}
"GHjtest-admin.examples.com" {
persist cookie insert "HjDEVWEBS02" "1d 00:00:00"
set node 10.1.1.13:80
}
"dfdev.examples.com" {
persist cookie insert "HjDEVWEBSx2" "1d 00:00:00"
snatpool POOLSNAT01
pool pool.dfdev.examples.com
}
}
}
}
NOTE: so the above examples.com website will only allow connections from the sources defined by the data-group.
ALTERNATIVELY
You could use mutual ssl authentication and only web-users with a valid cert can access the website. This is smarter in a long run, since you don't have to worry about web-client that changes address on regular basis.
Using this approach you could stand up DEV or UAT environments and allow trusted networks access to these DEV/UAT environments.
reference a typical design with multiple pools that makes up various sites and a dev team in two network spaces.
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
No comments:
Post a Comment