Forum Discussion

Nimbostratus

Mar 22, 2016

Best way to deny access to URL

I have VIP Dallas. This VIP has a pool member of 10.1.1.1. I have another VIP NY. This VIP has pool member 10.2.1.1. VIP NY has 2 uri: NYC and Albany. On server 10.1.1.1, there are 2 links: https://n...

Historic F5 Account

Mar 22, 2016

Assuming all the links in those applications are prefaced with those uris:

when HTTP_REQUEST {
  if { !(([string tolower [HTTP::uri]] starts_with '/nyc') || ([string tolower [HTTP::uri]] starts_with '/albany')) } {
    HTTP::respond 403
  }
}

EastCoast_16835

Altostratus

Mar 22, 2016

I would recommend to be careful when using iRules for security purposes like URL authorization. If URL parts are encoded this rule can be easily bypassed. You would need either to decode the URL properly (may require multiple rounds) or to use ASM signatures that do perform this decoding automatically. UPDATE: I think there is also a possibility to use ASM "Allowed URL" feature with the action "Block". Not sure whether it does URL decoding though.

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)