Forum Discussion
CirrusCreate iRule to prevent external users from hitting directories
Hello all.
I am new to iRules and I am not sure how to test what I've done so far without impacting production so I thought I'd ask here first to review my logic.
Logic- Create an iRule to disable some sub-directories from external IPs
Sud-directory examples /aws/ /PP/
What I've come up with.
Comment - subDir is defined in the GUI under Data Groups
when HTTP_REQUEST { if { (![class match [IP::remote_addr] equals private_net]) and [class match [ [HTTP::uri]] equals subDir ]} { drop }
}
I am thinking that I should use "equals" and probably use "contains" Thoughts?
M451_3155442nd attempt.
when HTTP_REQUEST { if { (![class match [IP::remote_addr] contains private_net]) and [class match [ [HTTP::uri]] contains subdir ]} { drop } }
jcline_41716Nimbostratus
Try this irule
when HTTP_REQUEST { set net_code [class match -value -- [IP::client_addr] equals internal_network_dg] set app_path [class match -value -- [string tolower [HTTP::path]] contains [string tolower private_urls_dg]] if {$app_path eq "p" and $net_code ne "a"} { HTTP::respond 404 content "404 Not Found" } }
You will need to create 2 datagroups internal_network_dg is used to track your internal IP addresses private_urls_dg is used to track your private URLs
internal_network_dg needs to be datagroup type "address" where you list the allowed addresses like 10.0.0.0/8 and an entry of a to tell the irule that they are allowed.
private_urls_dg needs to be a datagroup type string with the private url or a unique portion of it /admin/ and an indicator of p to tell the irule that its private. You can change the values to anything that you choose as long as you change them in the rule and the datagroups.
I got this from Kevin quite a while ago so thanks to him!
- M451_315544
an indicator of p to tell the irule that its privateThanks! I do not get this part though. What is an indicator of p?
- jcline_41716
This iRule is looking for a value of "p" in the private_urls_dg data group list that you will create for it.
You can create a data group list under the LocalTraffic/iRules menus. - jcline_41716
The iRule that I posted strings everything to lower case. iRules are case sensitive so an entry of /PP/:=a would not match on the iRule that I posted and wouldn't be blocked. If you use my rule then all entries to the datagroups need to be in lower case.
- jcline
Try this irule
when HTTP_REQUEST { set net_code [class match -value -- [IP::client_addr] equals internal_network_dg] set app_path [class match -value -- [string tolower [HTTP::path]] contains [string tolower private_urls_dg]] if {$app_path eq "p" and $net_code ne "a"} { HTTP::respond 404 content "404 Not Found" } }
You will need to create 2 datagroups internal_network_dg is used to track your internal IP addresses private_urls_dg is used to track your private URLs
internal_network_dg needs to be datagroup type "address" where you list the allowed addresses like 10.0.0.0/8 and an entry of a to tell the irule that they are allowed.
private_urls_dg needs to be a datagroup type string with the private url or a unique portion of it /admin/ and an indicator of p to tell the irule that its private. You can change the values to anything that you choose as long as you change them in the rule and the datagroups.
I got this from Kevin quite a while ago so thanks to him!
- M451_315544
an indicator of p to tell the irule that its privateThanks! I do not get this part though. What is an indicator of p?
- jcline
This iRule is looking for a value of "p" in the private_urls_dg data group list that you will create for it.
You can create a data group list under the LocalTraffic/iRules menus. - jcline
The iRule that I posted strings everything to lower case. iRules are case sensitive so an entry of /PP/:=a would not match on the iRule that I posted and wouldn't be blocked. If you use my rule then all entries to the datagroups need to be in lower case.