Forum Discussion
tnastars_92934
Nimbostratus
NimbostratusHelp With IRule to limit access via an address data group
Hello,
I have created the below iRule. I am trying to limit access to a URL based on a specific URI, but allow all traffic to any other URI going to the virtual server. My main question is how to I specify what pool of address to send the traffic to? I think this will work if I can leave a default Pool on the virtual server as well as an iRule. Is that possible? If not is there code I can add to my iRule to specify the pool I wish to send traffic to?
when HTTP_REQUEST {
if { [HTTP::uri] starts_with "/Foo/"} {
if { not [matchclass [IP::client_addr] equals $::Foo_IPs] } {
HTTP::respond 403 content "403 - Forbidden" }
}
}
hoolioCirrostratus
If you don't specify a pool for any case in the iRule, the VIP's default pool will be used for requests you don't send a response to from the iRule.
There is a potential issue with trying to do security validation of URIs in an iRule though. See this post for details:
http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&tpage=1&view=topic&postid=30900
Aaron
tnastars_92934Hoolio,
Thank You for the fast response. Can I just clarify what you are trying to say? I can leave a default pool on the Virtual server as well as the iRule? If I understand that correctly I am assuming that the F5 looks at the iRule first and the criteria is not met than it sends it to the default Pool. If the iRule criteria is met then the iRule would send back the 403 - Forbidden? Also, I looked at the post you pointed me too. Is that saying that I should use http::path instead of the http::uri command? Is this what you are suggesting:
when HTTP_REQUEST {
if { [HTTP::path] starts_with "/PAPayments/"} {
if { not [matchclass [IP::client_addr] equals $::good_IP} {
HTTP::respond 403 content "403 - Forbidden" }
}
}- tnastars_92934Sorry Hoolio I copied an old version of my iRule above. Is this what you are suggesting I should do:
when HTTP_REQUEST {
if { [HTTP::path] starts_with "/Foo/"} {
if { not [matchclass [IP::client_addr] equals $::Foo_IPs] } {
HTTP::respond 403 content "403 - Forbidden" }
}
} - hoolioThat should work to send all traffic you don't send an HTTP response to from the iRule to the VIP's default pool.
But the problem with that is that an attacker could obfuscate their request for /Foo/ using several directory traversal or encoding methods. Check the post I linked to in my first reply for details on that.
Aaron - tnastars_92934Aaron,
I just implemented this rule, but it does not seem to be working. I added it to a virtual server using port 443 with a SSL Client Profile (self signed cert). There is also a port 80 redirect rule (redirecting traffic to 443) for the same VIP. The back end servers are listing on port 7785. Should any of these factors contribute to the rule not working properly? As I understand it the LTM unencrypts the traffic, tries to match it against an iRule and then sends it to the default pool if there is no match on the iRule. is this correct? Any suggestions to get this working?
Thanks in advance
Tom - hoolioHi Tom,
That's correct. What are the symptoms of the problem? Can you add logging to the iRule to see what's happening?when HTTP_REQUEST { log local0. "[IP::client_addr]:[TCP::client_port]: [HTTP::method] to [HTTP::host][HTTP::uri]" if { [HTTP::path] starts_with "/foo/"} { log local0. "[IP::client_addr]:[TCP::client_port]: Matched path check" if { not [matchclass [IP::client_addr] equals $::foo_IP]} { log local0. "[IP::client_addr]:[TCP::client_port]: Blocking request" HTTP::respond 403 content "403 - Forbidden" } } }
Aaron - tnastars_92934Aaron,
I took the code you pasted above and used it and the rule is working properly? I am not sure what is different between yours and mine? All I can think of is that maybe I missed a bracket somewhere? Anyways, it seems to be to be doing what I need it to do. Thank you for your help!
Tom