Allow an IP Range and deny all the rest, only if a particular URL is matched
Scope
In some scenarios, you may need to allow or deny access only for a subset of IP addresses. Additionally it may be that this block should be applied only if some particular URL is triggered, not for the whole website, for example /admin, /secure.
The example in this article deals with the following scenario:
IF URL/Admin is triggered, only IP address range 10.1.0.0/24 is allowed to access the Real Server. All other IP addresses are blocked.
Solution
Some content rules need to be created. The use of flags is required in order to link together different content rules.
Refer to the below content for instructions on how to do this.
For more information on content rules in general, refer to the Content Rules Feature Description document.
Configuration
Create a rule to match /admin.
It is important that Flag 1 is set when the rule is matched.
Create a second content rule to match every IP address that is not part of the IP address range 10.0.30.0/24.
This rule should be triggered ONLY if Flag 1 has been previously set from another content matching rule.
If this rule is triggered (a client with an IP address not on the range 10.0.30.0/24 tried to access the Virtual Service) the LoadMaster returns a FAIL (Fail On Match is enabled in the rule).
The two content rules created should be then assigned to the Virtual Service under Advanced Proprieties > HTTP Selection Rules.
If needed, you can also set an error message here as shown below.
Darren DeHaven
In the article, where it says "only IP address range 10.1.0.0/24 is allowed", should be replaced with "only IP address range 10.0.30.0/24 is allowed".