Forum Discussion
Nimbostratusdrop incoming http requests to URI if external IP
Hi Guys
New to i-rules so would appreciate some pointers.
I have a situation where we have a pool of application servers that serve both private and public content (URIs). This pool is shared between virtual servers (which ultimately are private or publicly available). However due to the shared nature of the pool the situation exists where a crafted attack to the public virtual server could get access to a private URI on the pool memebers. In order to prevent this situation i need to configure some i-rules on the virtual server that drop requests if they are going to a private URI from a public (external) IP. At the same time acess to public URIs from public (External) IP still need to be available
So far i have the following but looking for advice on whether im on the right lines
when HTTP_REQUEST { if { [HTTP::host] equals "www.website.com" and [HTTP::uri] equals "/somethingspecific/index.html" and [matchclass [IP::remote_addr] equals $::PoolOfAllowedAddresses ]) } { pool poolofallowedservers } else { drop } }
Thanks
7 Replies
david0512_20548Sorry guys...formatting went to pot...heres the i-rule when HTTP_REQUEST { if { [HTTP::host] equals "www.website.com" and [HTTP::uri] equals "/somethingspecific/index.html" and [matchclass [IP::remote_addr] equals $::PoolOfAllowedAddresses ]) } { pool poolofallowedservers } else { drop }}
- Philippe_CLOUP
Employee
Hi David, if you are using a version prior to 11.4, you can use HTTP CLASSES, where you can deny everything except the HOST AND URI. In version 11.4 and after, CPM 5Central Policy Matching) can be used for this.
But if you want to stay with an iRule approach, your iRule looks okay, except that you need to use a compliant call for the DATAGROUP you are using (if not, you will demote CMP). instead of $::Pool... you need to use the DATAGROUP Name directly : PoolOfAllowedAddresses
I would also recommend using the "string tolower" command, to avoid some lowercase/uppercase issues.
What do you want to do if multiple requests are carried by the same connection ? in the else, i think that "HTTP::respond" command would have been better.
If the HTML page you are allowing is composed of multiple objects (images, ...), then you will have to allow them also.
- Kevin_Stewart
Would it also make sense to just evaluate the URI and the client address?
when HTTP_REQUEST { if { ( [string tolower [HTTP::uri]] starts_with "/somethingspecific" ) and not ( [class match [IP::client_addr] equals PoolOfAllowedAddresses] ) } { drop or HTTP::respond 200 content "Not allowed HTML content" } } - david0512_20548
great thanks guys....thats given me some pointers....evaluating the URL and client address seems the sensible way forward. With regards to the class match and matching a datagroup can i instead just define the addresses in the i-rule itself...for example
( [class match [IP::client_addr] equals 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16] )}
- Kevin_Stewart
With regards to the class match and matching a datagroup can i instead just define the addresses in the i-rule itself
You can, but your evaluation will get a little complex with more than two IPs/subnets. Example:
if { ( [IP::addr [IP::client_addr] equals 10.0.0.0/8] ) or ( [IP::addr [IP::client_addr] equals 172.16.0.0/12] ) or ( [IP::addr [IP::client_addr] equals 192.168.0.0/16] ) }where [IP::addr ] is the Boolean operator you would to evaluate IP addresses in an if clause.
- david0512_20548
Thanks Kevin....DataGroups the way to go then
- Kevin_StewartI'd also add that if you're just defining RFC 1918 addresses in your data group, the BIG-IP already comes with one called "private_net".
