Forum Discussion

Marcel_Jorba_62's avatar
Marcel_Jorba_62
Icon for Nimbostratus rankNimbostratus
Jul 26, 2011

How to block a specific URL

My setup is balancing 2 servers for all ports.

 

 

These servers host a web server

 

 

I need to block a very specific URL on these servers, blocking it or forwarding the requester user to an other URL outside the load balancer. This second option has been my option by means of an irule.

 

 

 

An iRule like this should work for me:

 

 

 

when HTTP_REQUEST { if { [HTTP::uri] equals "myurl"} { HTTP::redirect "https://[HTTP::host][HTTP::uri]" }

 

 

If I try to setup this, an http profile is required.

 

If I select an http profile, my application stops working (It uses also non http port)

 

 

 

 

My questions:

 

 

a) Is there any other way to block an URL without iRules?

 

b) Any help with my iRules approach?

 

 

 

Thanks in advance

 

 

Marcel
  • Hi Marcel,

    Unfortunately you cannot block something that specific without a iRule but you can build an irule that hopefully is easier to update when you want to expand what you want to block.

    I typical uri block would look something like the following:

    Expanding this to include different URIs using the switch command 
    when HTTP_REQUEST {
       switch [string tolower [HTTP::uri]] {
       "/path1" -
       "/path2" -
       "/path3" -
        .
        .
        .
       "/PathN" { drop }
       }
    }
    

    Taking this further you may have an even larger list you can use datagroups

    class blockthis {
       "/path1"
       "/Path2"
    }
    
    when HTTP_REQUEST {
         if {[class match [string tolower [HTTP::uri]] equals blockthis } {
           drop
           }
    

    This allows you to continue to add URI's you want to block. You can also replace "drop" with HTTP::redirect "http://redirected.com/uri" which can be used to redirect the client instead of dropping the connection or you can write up a sorry page response for example

    HTTP::respond 200 content "We are sorry, but the site you are looking for is temporarily offline for services, please try back later

    If you feel you have reached this page in error, please try again."

    I hope this helps,

    Bhattman
  • I hope it's not bad form to jump in here but I have a follow-up question to this discussion ...

     

     

    In Bhattman's suggestion about using multiple patterns in a "switch" command, what would happen if the switch command could not match any of the patterns? Would it allow the connection to proceed? I've read up on the "switch" command and see that there is a "default" keyword so that you can specify what you want to happen if it can't find a match. But, what happens if you don't explicitly specify a "default" action? In my case, I want to drop (or reject?) the connection if the URI matches or contains any of three strings; otherwise, the connection should be allowed.

     

     

    Thanks in advance for any guidance you can offer!
  • While not expressly required, it's generally best practice to include the default option in a switch. In any case, you could probably do something like this:

    
    when HTTP_REQUEST {
        switch -glob [string tolower [HTTP::uri]] {
            "/foo*" -
            "/bar*" -
            "/test*" { reject }
            default { return }
        }
    }
    
  • What about if you have a subdirectory you only want to block? This irule and others I have been testing with will also apply the reject to anything before the sub directory. /test/appsite or /*/appsite1

     

    I want to only block/reject the /appsite1 xyz.com/test/appsite1