Forum Discussion

Wire's avatar
Apr 12, 2011

Can you restrict a file type to a URL in ASM?

Hi,

 

 

Is there a way without an iRule to restrict certain file types to certain URLs in ASM v 10.2.0 HF1?

 

 

I want to restrict requests for static content such as css, png, jpg, pdf to the /images/ URI.

 

 

I had a look at flows (which I hardly ever use) but this doesn't seem to be possible there either.

 

 

Thanks

 

  • Hi Wire,

     

     

    Here are a couple of (untested) options I can think of:

     

     

    1. Create an attack signature that matches the URI and blocks anything that starts with /images/ that doesn't end with your list of static file types. Here's a regex which matches the patterns you want to allow:

     

     

    ^/images/.*\.(jpg|gif|css)$

     

     

    So if you can negate this, it should work to block anything that doesn't start with /images/ and end with a static file type:

     

     

     

    http://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm_config_10/asm_apx_attack_sig_syntax.html

     

     

    Using the not character (!) with keyword and pcre rule options

     

    You can use the optional not character (!) before the keyword and pcre rule options. This specifies that the rule is only matched if the specified option is not matched. Refer to Syntax for attack signature rules, for more details on the use of this modifier.

     

     

     

    2. Create another HTTP class which matches on URIs starting with /images/. In that new policy, only define the static filetypes you want to allow.

     

     

    Aaron
  • Actually, the regex for 1 will block everything else that's not in images. I need to work on that a bit :). The concept is that you want to build a regex which matches a string starting with /images/ that does not end with a static filetype. Once you figure that out, you can create an attack signature which is applied to URIs. I'll try to test this more to get it working. Else, if you figure it out, please reply back.

     

     

    Thanks, Aaron
  • Tom_Spector_50's avatar
    Tom_Spector_50
    Historic F5 Account
    Another (untested) option is to create wildcard objects for these types and restrict based on the illegal object violation.

     

    Use /images/*.jpg and /images/*.gif and have then have wildcards /*.jpg and /*.gif (ordered after the /images/ ones) so that it disallows all characters causing any other match to fail.

     

     

    Thanks,

     

    Tom.