Forum Discussion

Nimbostratus

Jan 31, 2024

Can I have a data group, with "data group" members

Hi; I am trying to have an i-rule that checks for URLs in a data group, then based on the URL value it allows certain methods. For example, the URL path /abc/xyz/ can have GET and POST. However...

iRules

security

Lucas_Thompson

Feb 02, 2024

I did a quick test and this seems to work pretty well. You'll want to use an "allow list" rather than a "block list" for security reasons.

Of course all code should be thoroughly tested before use in production. Use at your own risk.

when HTTP_REQUEST {
  set uri_path_name [string tolower [HTTP::uri] ]
  set http_method [string toupper [HTTP::method] ]
  set allowed_methods [class match -value $uri_path_name equals http_method_allowlist ]
  log local0. "Allowed methods: $allowed_methods for URI: ${uri_path_name}, this request is ${http_method}"
  if { [expr { ${allowed_methods} contains ${http_method} } ] } {
    log local0. "allow"
    return
  } else {
    log local0. "disallow"
    reject
    return
  }   
}

Grandiser

Nimbostratus

Hi Lucas;

Thank you for your response. Just wanted to check the syntax for your suggestion though. For example, would this work? The idea is to allow the request if the URL and HTTP method match. If only the URL is a match then deny. and if the URL is not a match then allow everything.

ltm data group internal http_method_acls {
    records {
        /foo/bar/ {
            data "POST|CONNECT|GET|HEAD"
        }
        /abc/xyz/ {
            data "POST"
        }
    }
    type string
}

when HTTP_REQUEST {
    set uri_path_name [string tolower [URI::path [HTTP::uri]]]
    set http_method [string toupper [HTTP::method]]
    if {! [class match $uri_path_name equals http_method_acl] } {
        return
    } else {
        if {![class match $uri_path_name -value contains $http_method]} {
            reject
            return
        }   
    }
}

Lucas_Thompson

Employee

Feb 02, 2024

I did a quick test and this seems to work pretty well. You'll want to use an "allow list" rather than a "block list" for security reasons.

Of course all code should be thoroughly tested before use in production. Use at your own risk.

when HTTP_REQUEST {
  set uri_path_name [string tolower [HTTP::uri] ]
  set http_method [string toupper [HTTP::method] ]
  set allowed_methods [class match -value $uri_path_name equals http_method_allowlist ]
  log local0. "Allowed methods: $allowed_methods for URI: ${uri_path_name}, this request is ${http_method}"
  if { [expr { ${allowed_methods} contains ${http_method} } ] } {
    log local0. "allow"
    return
  } else {
    log local0. "disallow"
    reject
    return
  }   
}

Grandiser
Nimbostratus
Feb 04, 2024
Thank you Lukas.

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

Can I have a data group, with "data group" members

Recent Discussions

Background Tasks

Which process is consuming higher CPU

SSL bridging without SSL proxy forward

Big-IP VE edition for MacBook M4 Chip

Client SSL Profile set to Require Client Certificate breaks RDP in APM

Related Content

Mass input/create "Data group list" ?

How I did it - "Visualizing Data with F5 TS and Splunk"

How I did it - "Visualizing Data with F5 TS and the Elastic ELK Stack"

Web redirections with data group fail if URI contains "?"

"General database error" when adding an entry to a Data Group List

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS