Forum Discussion

Fastidious's avatar
Fastidious
Icon for Altostratus rankAltostratus
Jun 21, 2024

Help with iRule

Good day all!

I have the following iRule:

when HTTP_REQUEST {
  if { ([HTTP::host] eq "lists.example.com") and ([HTTP::uri] eq "/cgi-bin/wa?INDEX" || [HTTP::uri] eq "/cgi-bin/wa?MOD" || [HTTP::uri] eq "/cgi-bin/wa?SYSCFG" || [HTTP::uri] eq "/cgi-bin/wa?OWNER" || [HTTP::uri] eq "/cgi-bin/wa?INDEX=" || [HTTP::uri] eq "/cgi-bin/wa?LOGON" || [HTTP::uri] eq "/cgi-bin/wa?LOGON=INDEX" || [HTTP::uri] eq "/cgi-bin/wa?LOGON=" || [HTTP::uri] eq "/cgi-bin/wa?ADMINDASH" || [HTTP::uri] eq "/cgi-bin/wa?LSTCR1") } {
              switch -glob [class match [IP::client_addr] eq "LISTSERV-TST_Allowed_IPs"] {
                "1" {
                          return
                }
                default {
                          HTTP::redirect "https://www.google.com/"
                } 
              }
  }
  else {
      return
  }
}

As you can see, it is inefficient, and it doesn't account for all possibilities. Let me explain what I am aiming.

If an `HTTP_REQUEST` comes to "lists.example.com" (`[HTTP::host]`), and the URI (`[HTTP::uri]`) isn't "/cgi-bin/wa?SUBEDIT1*" (that is, "cgi-bin/wa?SUBEDIT1", and anything after it), redirect it unless it is from an IP on the "LISTSERV-TST_Allowed_IPs", in which case, allow anything on the URI and continue to it.

What would you do?

  • JRahm's avatar
    JRahm
    Jun 21, 2024

    You can negate that second IF as well to avoid the else

    when HTTP_REQUEST priority 500 {
        if { (![class match -- [IP::client_addr] eq "LISTSERV-TST_Allowed_IPs"]) &&
             !(([HTTP::host] eq "lists.example.com") && ([HTTP::uri] matches_glob "/cgi-bin/wa?SUBEDIT1*")) } {
            HTTP::redirect "https://www.google.com"
        }
    }

     

  • Hi Fastidious , untested, but I think this is close to what you're looking for:

    when HTTP_REQUEST priority 500 {
        if { ([HTTP::host] eq "lists.example.com") && ([HTTP::uri] matches_glob "/cgi-bin/wa?SUBEDIT1*") } {
            if { ![class match -- [IP::client_addr] eq "LISTSERV-TST_Allowed_IPs"] } {
                HTTP::redirect "https://www.google.com"
            }
        }
    }

     

    • JRahm's avatar
      JRahm
      Icon for Admin rankAdmin

      I'm a little fuzzy on your "isn't" clause for the /cgi-bin requirement, so that might need to be negated or the logic cleaned up a bit.

    • Fastidious's avatar
      Fastidious
      Icon for Altostratus rankAltostratus

      JRahmthank you, and very close! I want every client not on "LISTSERV-TST_Allowed_IPs" to be allowed to access line 2, but only line 2. Redirect is there is no match.

      Allow access to everything matching "/cgi-bin/wa*" to every client on "LISTSERV-TST_Allowed_IPs" data group.

    • Fastidious's avatar
      Fastidious
      Icon for Altostratus rankAltostratus

      Would something like this work?

      when HTTP_REQUEST priority 500 {
          if { ([HTTP::host] eq "lists.example.com") && ([HTTP::uri] matches_glob "/cgi-bin/wa?SUBEDIT1*") } { 
            return 
          } else {
                  HTTP::redirect "https://www.google.com"    
          }
          if { [class match -- [IP::client_addr] eq "LISTSERV-TST_Allowed_IPs"] } {
            return
          }
      }

       

      • Fastidious's avatar
        Fastidious
        Icon for Altostratus rankAltostratus

        Or this, rather:

        when HTTP_REQUEST priority 500 {
          if { ![class match -- [IP::client_addr] eq "LISTSERV-TST_Allowed_IPs"] } {
            if { ([HTTP::host] eq "lists.example.com") && ([HTTP::uri] matches_glob "/cgi-bin/wa?SUBEDIT1*") } { 
                  return 
            } else {
                  HTTP::redirect "https://www.google.com"
            }
          }
        }

        I know we are close, so I am not certain on how to "wrap it up".  😅

  • if youre not familiar with programming, use the gui based local traffic policy and/or asks developer team to help

    • JRahm's avatar
      JRahm
      Icon for Admin rankAdmin

      traffic policies are certainly a good option if you don't already have iRules in place. Personally, if I have any iRules on a virtual, I'll stick with iRules so I'm not splitting the logic into multiple sources of responsibility. But, if it can all be done in a policy (or multiple policies) that's the better path.