For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

M451_315544's avatar
M451_315544
Icon for Cirrus rankCirrus
Mar 28, 2017

Create iRule to prevent external users from hitting directories

Hello all.   I am new to iRules and I am not sure how to test what I've done so far without impacting production so I thought I'd ask here first to review my logic.   Logic- Create an iRule to...
application delivery
irule
iRules
jcline's avatar
jcline
Icon for Nimbostratus rankNimbostratus
Mar 28, 2017

Try this irule

when HTTP_REQUEST {
  set net_code [class match -value -- [IP::client_addr] equals internal_network_dg]
  set app_path [class match -value -- [string tolower [HTTP::path]] contains [string tolower private_urls_dg]]

            if {$app_path eq "p" and $net_code ne "a"} {
         HTTP::respond 404 content "


    404 Not Found

" } }

You will need to create 2 datagroups internal_network_dg is used to track your internal IP addresses private_urls_dg is used to track your private URLs

internal_network_dg needs to be datagroup type "address" where you list the allowed addresses like 10.0.0.0/8 and an entry of a to tell the irule that they are allowed.

private_urls_dg needs to be a datagroup type string with the private url or a unique portion of it /admin/ and an indicator of p to tell the irule that its private. You can change the values to anything that you choose as long as you change them in the rule and the datagroups.

I got this from Kevin quite a while ago so thanks to him!

jcline's avatar
jcline
Icon for Nimbostratus rankNimbostratus
Mar 28, 2017

The iRule that I posted strings everything to lower case. iRules are case sensitive so an entry of /PP/:=a would not match on the iRule that I posted and wouldn't be blocked. If you use my rule then all entries to the datagroups need to be in lower case.