For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

computerli's avatar
computerli
Icon for Altostratus rankAltostratus
Dec 11, 2018

Block specific URI

I am trying to block a URI using iRule. I want to block only the URI listed on my uri-notallowed_data_group which do not match the network_allowed_data_group

 

I created two data groups

 

uri-notallowed_data_group

 

/abc/login?returnurl=/abc

 

/abc/

 

/abc

 

network_allowed_data_group

 

192.168.0.0/16

 

iRule

 

when HTTP_REQUEST {

 

if {[class match [string tolower [HTTP::uri]] equals uri-notallowed_data_group] and not [class match [IP::client_addr] equals network_allowed_data_group]}

 

{

 

log local0. "Dropped Connection [HTTP::uri]"

 

drop

 

}

 

}

 

iRule is blocking /abc/ , /abc and if the URI is entered as lower case.

 

The issue is that the page loads if the address has capital letters e.g https://www.xyz.com/Abc/Login?ReturnUrl=/Abc

 

Any idea why the URI is not being converted to lower case even though I am using string tolower [HTTP::uri]

 

application delivery
LTM

1 Reply

  • gscholz_370150's avatar
    gscholz_370150
    Icon for Nimbostratus rankNimbostratus
    Dec 11, 2018

    For simplicity I tested your iRule without the IP address check, and in my environment on v13.1.1.2 it works fine. I logged not only the URI, but also how it got converted.

    This is the iRule:

    when HTTP_REQUEST {
    if {[class match [string tolower [HTTP::uri]] equals uri-notallowed_data_group]} {
        log local0. "Rejected Connection [HTTP::uri], converted [string tolower [HTTP::uri]]"
        reject
    }
}

    And this is the outcome in /var/log/ltm:

    Dec 11 17:54:57 f5-c info tmm3[11373]: Rule /Common/irule_uriblock : Rejected Connection /ABC/login?returnurl=/abc, converted /abc/login?returnurl=/abc