Forum Discussion
CirrostratusAllow access to URL from internet based on URI
Hello ,
I am trying to develop an irule whereby access to a specific URL is allowed only when a specific URL is presented .The logic is as below :
Application 202(CAC) alone is accessible on the internet allow /i/* allow /smapps/f?p=CAC* allow /smapps/f?p=202* deny if starts with /smapps/f?p and does not start with /smapps/f?p=202 allow /smapps/* deny all
The above is only applicable to traffic from the internet ie all non RFC 1918 addresses . The above should be accessible to all RFC 1918 addresses ( 10.0.0.0/8 etc)
I am new to irules and would appreciate any help in developing this rule . I am not sure if I will have to use data groups for this .
Thanks,
Karthik
5 Replies
- Kevin_Stewart
Employee
Something like this maybe:
when HTTP_REQUEST { if { not ( [class match [string tolower [HTTP::uri]] starts_with restrict_uri_dg] ) and not ( [class match [IP::client_addr] equals private_net] ) } { log local0. "rejected request for [HTTP::uri] from [IP::client_addr]" reject } }where "restrict_uri_dg" is a string-based data group containing URI paths that are allowed. Example (note everything is lower case):
/smapps/f?p=202 := 1 /smapps/f?p=cac := 1and "private_net" is an address-based data group containing the RFC 1918 address space. Example:
10.0.0.0/255.0.0.0 172.16.0.0/225.240.0.0 192.168.0.0/255.255.0.0 
Karthik_Krishn1Thanks Kevin . I was just told that the URL has to be accessible by both Internal ( RFC 1918 ) and Internet users. So based on new information this is what the developers want to do :
If a user is from the Internet they need to be able to access the following in the order as below:
- permit /i/*
- permit /smapps/f?p=202
- permit /smapps/f?p=cac
- reject if starts with /smapps/f?p and does not start with /smapps/f?p=202
- permit /smapps/*
- Reject all
Now if the user is from the Internal RFC 1918 network , then they should be able to access anything after /smapps/ with the only rejections being the one shown below following additional rules apply :
- reject /smapps/f?p=4550
- permit /smapps/*
- reject all
Again thanks for your help .
Mohamed_LrhaziAltocumulus
I am curious about what is missing from Kevin post? Do you need help with: - How to write and use an iRule? - How to code "match client IP against list of subnets" ? - How to code "match request URI against list of URIs"? - How to reject when conditions do not match? - ...
- Kevin_Stewart
Okay, this isn't as dynamic as a data group, but should provide what you need:
when HTTP_REQUEST { if { not ( [class match [IP::client_addr] equals private_net] ) } { process URI filter for external users switch -glob [string tolower [HTTP::uri]] { "/i/*" - "/smapps/f?p=202" - "/smapps/f?p=cac" { return } "/smapps/f?p*" { reject } "/smapps/*" { return } default { reject } } } else { process URI filter for internal users switch -glob [string tolower [HTTP::uri]] { "/smapps/f?p=4550" { reject } "/smapps/*" { return } default { reject } } } } - Karthik_Krishn1
Thanks Kevin . I will try this and let you know if it resolved our issue. Thanks again for your help
