Forum Discussion

Grandiser's avatar
Grandiser
Icon for Nimbostratus rankNimbostratus
Jan 31, 2024
Solved

Can I have a data group, with "data group" members

Hi; I am trying to have an i-rule that checks for URLs in a data group, then based on the URL value it allows certain methods.    For example, the URL path /abc/xyz/ can have GET and POST. However...
iRules
security
  • Lucas_Thompson's avatar
    Lucas_Thompson
    Feb 02, 2024

    I did a quick test and this seems to work pretty well. You'll want to use an "allow list" rather than a "block list" for security reasons.

    Of course all code should be thoroughly tested before use in production. Use at your own risk.

     

    when HTTP_REQUEST {
  set uri_path_name [string tolower [HTTP::uri] ]
  set http_method [string toupper [HTTP::method] ]
  set allowed_methods [class match -value $uri_path_name equals http_method_allowlist ]
  log local0. "Allowed methods: $allowed_methods for URI: ${uri_path_name}, this request is ${http_method}"
  if { [expr { ${allowed_methods} contains ${http_method} } ] } {
    log local0. "allow"
    return
  } else {
    log local0. "disallow"
    reject
    return
  }   
}

     

Grandiser's avatar
Grandiser
Icon for Nimbostratus rankNimbostratus

Hi Lucas;

 

Thank you for your response. Just wanted to check the syntax for your suggestion though. For example, would this work? The idea is to allow the request if the URL and HTTP method match. If only the URL is a match then deny. and if the URL is not a match then allow everything.

ltm data group internal http_method_acls {
    records {
        /foo/bar/ {
            data "POST|CONNECT|GET|HEAD"
        }
        /abc/xyz/ {
            data "POST"
        }
    }
    type string
}
when HTTP_REQUEST {
    set uri_path_name [string tolower [URI::path [HTTP::uri]]]
    set http_method [string toupper [HTTP::method]]
    if {! [class match $uri_path_name equals http_method_acl] } {
        return
    } else {
        if {![class match $uri_path_name -value contains $http_method]} {
            reject
            return
        }   
    }
}

 

 

Lucas_Thompson's avatar
Lucas_Thompson
Icon for Employee rankEmployee
Feb 02, 2024

I did a quick test and this seems to work pretty well. You'll want to use an "allow list" rather than a "block list" for security reasons.

Of course all code should be thoroughly tested before use in production. Use at your own risk.

 

when HTTP_REQUEST {
  set uri_path_name [string tolower [HTTP::uri] ]
  set http_method [string toupper [HTTP::method] ]
  set allowed_methods [class match -value $uri_path_name equals http_method_allowlist ]
  log local0. "Allowed methods: $allowed_methods for URI: ${uri_path_name}, this request is ${http_method}"
  if { [expr { ${allowed_methods} contains ${http_method} } ] } {
    log local0. "allow"
    return
  } else {
    log local0. "disallow"
    reject
    return
  }   
}

 

  • Grandiser's avatar
    Grandiser
    Icon for Nimbostratus rankNimbostratus
    Feb 04, 2024

    Thank you Lukas.