For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Haroonh's avatar
Haroonh
Icon for Nimbostratus rankNimbostratus
Jun 20, 2020

Allowing access only to specified directories (HTTP::PATH) on hosts using IRULES

Hi Community,

 

I am a beginner in F5 and would like your help in achieving the following

 

would like to restrict the traffic to only to the following path(s)

 

http://hostname.mylab.com/dir1

http://hostname.mylab.com/dir2

http://hostname.mylab.com/dir3

http://hostname.mylab.com/dir4

 

Could you please tell me if the following IRule will work if not please help me in configuring this.

 

when HTTP_REQUEST {

if { (([HTTP::host] eq "hostname.mylab.com") and ([HTTP::path] eq "/dir1"))

or (([HTTP::host] eq "hostname.mylab.com") and ([HTTP::path] eq "/dir2"))

or (([HTTP::host] eq "hostname.mylab.com") and ([HTTP::path] eq "/dir3"))

or (([HTTP::host] eq "hostname.mylab.com") and ([HTTP::path] eq "/dir4")) } {

 

} else {

drop

}

}

 

I really appreciate your help and support in this

Kind Regards,

 

 

 

application delivery
iRules
LTM

3 Replies

  • PeteWhite's avatar
    PeteWhite
    Icon for Employee rankEmployee
    Jun 21, 2020
    when HTTP_REQUEST {
    if { [HTTP::host] == "hostname.mylab.com" } {
        switch -- [HTTP::path] {
            "/dir1" -
            "/dir2" -
            "/dir3" -
            "/dir4" -
            default { drop }
        }
    } else {
        drop
    }
}
    • Haroonh's avatar
      Haroonh
      Icon for Nimbostratus rankNimbostratus
      Jun 23, 2020

      Thanks Pete for the reply and your time, really appreciate it.

       

      I have tried your solution but it doesn't seem to work,

       

      I implemented the following which went fine.

       

      when HTTP_REQUEST {

      if { (([HTTP::host] eq "hostname.mylab.com") and ([HTTP::uri] contains "/dir1"))

      or (([HTTP::host] eq "hostname.mylab.com") and ([HTTP::uri] contains "/dir2"))

      or (([HTTP::host] eq "hostname.mylab.com") and ([HTTP::uri] contains "/dir3"))

      or (([HTTP::host] eq "hostname.mylab.com") and ([HTTP::uri] contains "/dir4")) } {

       

      } else {

      drop

      }

      }

       

      Kind Regards,

  • PeteWhite's avatar
    PeteWhite
    Icon for Employee rankEmployee
    Jun 23, 2020

    Cool. I can see what i did wrong:

    when HTTP_REQUEST {
    if { [HTTP::host] == "hostname.mylab.com" } {
        switch -- [HTTP::path] {
            "/dir1" -
            "/dir2" -
            "/dir3" -
            "/dir4" { return }
            default { drop }
        }
    } else {
        drop
    }
}

    otherwise, you can implement yours a bit differently:

    when HTTP_REQUEST {
  set urls { "/dir1*" "/dir2*" "/dir3*" }
  if { (! [HTTP::host] eq "hostname.mylab.com") or ( ! [lsearch -glob -- $urls [HTTP::path]) } { 
    drop
  }
}

    or if the number of URLs is likely to be a large number ( 20+ ) then you can put them into a datagroup and match against that.

    You can also implement this in an LTM policy which would be more performant.

    When testing this sort of thing it is a good idea with a range of tests for different urls and formats to check it works as expected, it is easy to find a corner case.