Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

Allow an IP Range and deny all the rest, only if a particular URL is matched


In some scenarios, you may need to allow or deny access only for a subset of IP addresses. Additionally it may be that this block should be applied only if some particular URL is triggered, not for the whole website, for example /admin, /secure. 

The example in this article deals with the following scenario:

IF URL/Admin is triggered, only IP address range is allowed to access the Real Server. All other IP addresses are blocked.


Some content rules need to be created. The use of flags is required in order to link together different content rules.

Refer to the below content for instructions on how to do this.

For more information on content rules in general, refer to the Content Rules Feature Description document.


Create a rule to match /admin.

It is important that Flag 1 is set when the rule is matched.


Create a second content rule to match every IP address that is not part of the IP address range

This rule should be triggered ONLY if Flag 1 has been previously set from another content matching rule.
If this rule is triggered (a client with an IP address not on the range tried to access the Virtual Service) the LoadMaster returns a FAIL (Fail On Match is enabled in the rule).


The two content rules created should be then assigned to the Virtual Service under Advanced Proprieties > HTTP Selection Rules.
If needed, you can also set an error message here as shown below.



Was this article helpful?
0 out of 0 found this helpful



Darren DeHaven

In the article, where it says "only IP address range is allowed", should be replaced with "only IP address range is allowed".