For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

mguned_60772's avatar
mguned_60772
Icon for Nimbostratus rankNimbostratus
Sep 09, 2011

Block URI from Internet

Hello,

 

 

Is it possible to block a specific URI from the Internet? Example, if http://abc.com is Internet facing... would it be possible to block only http://abc.com/xyz and allow any other URI? The other question is ... would it then also be possible to allow http://abc.com/xyz to our Internal customers?

 

 

Thanks in advance for any information... it is much appreciated!

 

 

Best Regards,

 

Eddie
application delivery
dev
devops
iRules

5 Replies

  • Michael_Yates's avatar
    Michael_Yates
    Icon for Nimbostratus rankNimbostratus
    Sep 09, 2011
    Hi mguned,

    Sure you can do that. This example just redirects the request back to the root directory, but you could drop the request or return a sorry page or anything you want when the even is triggered. 

     
when HTTP_REQUEST {
if { [HTTP::uri] starts_with "/xyz" } {
HTTP::redirect "http://[getfield [HTTP::host] ":" 1]/"
}
}

  • Michael_Yates's avatar
    Michael_Yates
    Icon for Nimbostratus rankNimbostratus
    Sep 09, 2011
    The second part of your question is a little more tricky. How are you going to distinguish between Internal and External Users?

     

     

    You could do it based on the incoming Client IP Address, but it would require that you build a list of subnets to compare against. For this I would suggest using a Data Group.

     

     

    If you need help with that just let us know.
  • mguned_60772's avatar
    mguned_60772
    Icon for Nimbostratus rankNimbostratus
    Sep 09, 2011
    Thanks for the info! Maybe I can just block the URI from the Internet as suggested above and then create an Internal DNS entry that would point the Inernal user directly to the Internal VIP? Then could we add a single subnet to the list of allowed users?
  • mguned_60772's avatar
    mguned_60772
    Icon for Nimbostratus rankNimbostratus
    Sep 09, 2011
    Regarding the second part...

     

     

    Is there a way to use the I_rule mentioned above and add a single IP for access?

     

     

    Thanks!

     

    -Eddie
  • Michael_Yates's avatar
    Michael_Yates
    Icon for Nimbostratus rankNimbostratus
    Sep 09, 2011
    You could do that.

    But if you wanted to do it all in the same place you could do something like this:

    Create a Data Group "AllowedSubnets" that contains the subnets / IP Addresses that you want to be allowed to access this location.

    Then create an iRule like this (This iRule uses "class match" which is a v10.x.x method. If you have v9.x.x you can use "matchclass" and access the datagroup as "$::AllowedSubnets" instead of "AllowedSubnets") 

     
when HTTP_REQUEST {
if { ([HTTP::uri] starts_with "/xyz") and !([class match [IP::remote_addr] equals AllowedSubnets]) } {
HTTP::redirect "http://[getfield [HTTP::host] ":" 1]/"
}
}

    This logic requires two parts. The URI must start with "/xyz" and the Client IP Address is not in the allowed list. Then they will be redirected.

    If the URI does not match or if the URI does match and the Client IP Address is in the allowed list, then the traffic will flow through normally without being redirected.