vADC Docs

Geo Restrict Traffic Script

by aidan.clarke on ‎12-06-2012 10:35 PM (1,611 Views)

#// Traffic Script to Geo-Restrict access to a particular set of resources based on the country you are


#// coming from.


#// Written by Aidan Clarke - Riverbed Technologies Dec 2012


#// email feedback to <aidan dot clarke at riverbed dot com>


#// As always, comments and feedback welcome.



#// Has 3 functions for geo restriction:


#// 1- Will only allow access to the restricted URL Stub from the list of countries specified in $CountriesAllowed array


#// 2- Will allow access outside of $CountriesAllowed if the user has authenticated and has an AuthToken Cookie#// 3- Will over ride all access to the restricted URL Stub if the user is coming from countries specified in teh $CountriesBanned array



#// URL Resource Prefix to restrict access to


$restrictedUrlPrefix = "/restricted/";




#// ISO ISO 3166-1 alpha-2 list of countries allowed access to the Restricted Resources


$countriesAllowed = ["AU", "NZ"];




#// ISO ISO 3166-1 alpha-2 list of countries totally banned from access to the Restricted Resources


$countriesBanned = [ "NG" ];




#// The Authentication token to look for to over ride access outside of $countriesAllowed (but not $countriesBanned)


$authCookie = "myAuthToken";




#// switch to toggle debug on or off: Possible Values: 0 or 1


$debug = "1";




#// sub routines so you can define what you want do do when you deny access


sub denyAccess(){


  #// log.info("denyAccess hit");


  #// Deny access and close connection


    http.sendResponse( "403 Permission Denied",


             "text/html", "Go away",


             "Set-Cookie: denied=Yes");


}




#// sub routines so you can define what you want do do when you permit access


sub permitAccess(){


  #// log.info("permitAccess hit...");


  #// nothing to do here, pass through


}




#// sub routines so you can define how you want to check the cookie is valid before you allow access


sub checkCookie(){


  #// log.info("checkCookie hit...");


  log.info("checkCookie hit...");


  #// nothing being done here, put some cookie validation code in here to check the cookie is not faked



}




#//#######################################################################


#// Nothing to edit below this line


#//#######################################################################




$clientIP = request.getRemoteIP();


  #$clientIP = "41.73.224.10"; #// sample NG Address useful for testing


  #$clientIP = "203.30.98.10"; #// sample AU Address useful for testing


  #$clientIP = "37.8.160.10"; #// sample FR Address useful for testing






$clientCountry = geo.getCountryCode($clientIP);




$path = http.normalizePath( http.getPath() );




#// Check if the URL in question is one we need to restrict access to:


if ( string.startsWith( $path, $restrictedUrlPrefix ) ) {


   #//  use case - deny if the client is accessing from a country in $countriesBanned


   foreach ( $badCountry in $countriesBanned ){


      if ( $clientCountry == $badCountry ){


        if ($debug == 1) {log.info("Client Country " . $clientCountry . " is banned from accessing " . $restrictedUrlPrefix . " on this site." ) ;}


      denyAccess();


      }


   }




  #// if we get to here, the URL is restricted and the client is not coming from a country in $bannedCountries


    #// we want to check to see if they have $authCookie or if they are from a country in $countriesAllowed


  if ( http.getcookie( "myAuthToken" ) != "" ){ ##// Client has an auth token and can access


      #// They are authenticated, we let the go through


        if ($debug == 1) {log.info("Client Country: " . $clientCountry . " is permited to access " . $restrictedUrlPrefix . " on this site because they are authenticated." );}


        checkCookie();


      } else {


  foreach ( $goodCountry in $countriesAllowed ){


  if ( $clientCountry == $goodCountry ){ #// They are from a permitted country, we let them go through


        if ($debug == 1) { log.info("Client Country: " . $clientCountry . " is permited to access " . $restrictedUrlPrefix . " on this site." );}


  permitAccess();


  break;


  } else {


  if ($debug == 1) { log.info("Customer in Client Country: " . $clientCountry . " is banned from accessing " . $restrictedUrlPrefix . " on this site because they are not authenticated." );}


  denyAccess();


  break;


  }


  }


  }


}