Follow

How To: Only allow certain IP addresses to access / use your proxy

Description

  • I want a list of IP addresses or range to send traffic to a proxy and block IPs, not in the list
  • I want to allow QA/trusted IP addresses only

Is this the same as allowlisting IP Addresses for WAF Policies or DDoS?

 

Environment

  • DDoS Proxy
  • WAF Proxy 
  • Allowlist

 

Procedure

  1. Open a ticket with F5 Silverline SOC and request an allowlist iRule to only allow certain IPs to use the web application proxy.
    • Example iRule logic for X-Forwarded-For
      • when HTTP_REQUEST priority 202 {
          set True_Client_IP [call ag_info0::http_client_ip X-Forwarded-For]

          if { ![class match -- $True_Client_IP equals [call ag_info0::datatable_name allowlist_table]] } {
            set agl [call ag_log0::open -rulename allowlist_XFF -rulever 1]
             call ag_log0::http_kvp $agl INFO action "blocked" blocked 1
        drop
        event disable all  
          }
        }

         

  2. SOC will set the iRule up in your account along with an associated data table
    • The data table will by default contain a Private non-routable IP like 192.168.1.1
    • The data table should not be empty
  3. Then, add trusted IP addresses to your data table
  4. Attach the iRule to your proxy
  5. Test

 

Related Content

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request