Forum Discussion
jtalkington_476
Nimbostratus
NimbostratusApache migration to iRule
Been handed the following from apache to migrate to an irule-
Only allow access to files in the following specific directories. The '[^/]+$' on
the end of each entry prevents any subdirectories of that directory from being
implicitly allowed.
RewriteCond %{REQUEST_URI} !^/[^/]*$
RewriteCond %{REQUEST_URI} !^/curriculum_images/[^/]+$
RewriteCond %{REQUEST_URI} !^/images/[^/]+$
RewriteCond %{REQUEST_URI} !^/img/[^/]+$
RewriteCond %{REQUEST_URI} !^/img/articles/[^/]+$
RewriteCond %{REQUEST_URI} !^/img/dhs/[^/]+$
RewriteCond %{REQUEST_URI} !^/img/FNF/[^/]+$
RewriteCond %{REQUEST_URI} !^/img/FNF/cis/[^/]+$
RewriteCond %{REQUEST_URI} !^/img/FNF/compliance/[^/]+$
RewriteCond %{REQUEST_URI} !^/img/icons/[^/]+$
RewriteCond %{REQUEST_URI} !^/img/icons2/[^/]+$
RewriteCond %{REQUEST_URI} !^/img/wiki_up/cis.fnf.com/[^/]+$
RewriteCond %{REQUEST_URI} !^/lib/[^/]+$
RewriteCond %{REQUEST_URI} !^/lib/Galaxia/img/icons/[^/]+$
RewriteCond %{REQUEST_URI} !^/styles/[^/]+$
Need to allow arbitrary subdirectory trees under '/training'.
RewriteCond %{REQUEST_URI} !^/training/
Deny anything that didn't match the above.
RewriteRule .* /proxy_denied.txt [L]
Also specifically deny access to https://cis.fnf.com/tiki-index.php?page=AdminPage
(or variations).
RewriteCond %{QUERY_STRING} AdminPage
RewriteRule .* /proxy_denied.txt [L]
And specifically deny access to scripts containing 'admin' anywhere in the name.
RewriteRule admin.*\.php$ /proxy_denied.txt [L]
And finally, block requests containing strange characters in the script name
portion (we should probably be checking the query string portion too, but we would
need to be very careful about the allowed character set, which would be broader
broader than this list).
RewriteRule [^-A-Za-z0-9_/.()\ ] /proxy_denied.txt [L]
I 've created most of the rule, but this last part is giving me problems, not sure how to write this to allow only A-Za-z0-9_/.()\ and deny everything else. Any suggestions?
The rules for compliance.fnf.com are the same except without these two lines:
RewriteCond %{REQUEST_URI} !^/img/dhs/[^/]+$
RewriteCond %{REQUEST_URI} !^/img/wiki_up/cis.fnf.com/[^/]+$
HamishCirrocumulus
Assuming I'm not misunderstanding your question, you could use a regular expression in an if statement... e.g.if { [HTTP::uri] matches_regex {[^-A-Za-z0-9_/.()\]} } { HTTP::redirect "/proxy_denied.txt" }
You might want to verify the regex syntax matches what you want though (I didn't).
H
jtalkington_476I tried this- the syntax APPEARS to be ok, but it doesn't seem to hit the statement when i enter special characters.
when HTTP_REQUEST {
set POOL Cis.fnf.com
if { [HTTP::path] matches_regex {[^-A-Za-z0-9_/.()\]} } {
HTTP::redirect "/proxy_denied.txt"
}
HTTP::respond 200 content "RuleSet2[HTTP::path]"
}