Forum Discussion
Cirrusi-rule to allow specific urls only
I have to configure a VS to allow only two urls & block everything else. for example https://mycompany.com/abc/* & https://mycompany.com/xyz/* should be allowed & everything else should be blocked. Can someone help me witha possible i-rule or a method to achieve the same? TIA
Simon_BlakelyEmployee
Do this with a Local Traffic Policy
AskF5 | Manual Chapter: Local Traffic Policies Examples
A Local Traffic Policy will be easier to configure, maintain and will also be faster than an irule.
- Simon_Blakely
Your policy should look something like this
Ashu_AggarwalThanks fot your response. I tried this but it blocked the whole site. Also which version of bigip are you running on? I have 13.1.7 & i don't see same screen after policy creation.
- Simon_Blakely
That policy is missing a leading "/" for the URI paths, because I switched from "contains" to "starts_with" - sorry. Also, make it a case-insensitive check (using the options button)
HTTP URI path starts with "/abc/", or "/xyz/" at request timeIt's worth persisting with Local Traffic Policies until you get them working - they really are the best solution to start with.
- Samir
MVP
@Janet, Your Irule is correct but small modification needed to fulfill actual request.
when HTTP_REQUEST { if { !(([string tolower [HTTP::uri]] starts_with "/abc") or ([string tolower [HTTP::uri]] starts_with "/pqr")) } { drop } }- Ashu_Aggarwal
This i-rule blocked whole site
- Samir
, Thank you so much for feedback. We write the iRule based on your question/assumption. As i believe, you are passing wildcard parameter in "/abe/*" . which may not return proper result. It's is a devcentral tips and modify according to business needs.
Try switch condition or F5 Policy..
- Ashu_Aggarwal
Thanks, but my request is to allow the two uris & dropped everything else. & in dropped request user get http:403 request forbidden.
jaikumar_f5Noctilucent
, try putting logging to see if you are capturing the right URI's.
You can follow Samir's IRule and since you wanted 403, replace drop with respond 403.
when HTTP_REQUEST { if { !(([string tolower [HTTP::uri]] starts_with "/abc") or ([string tolower [HTTP::uri]] starts_with "/pqr")) } { HTTP::respond 403 content "<html><body>Access Denied</body></html>" } else { log local0. "client=[IP::client_addr] accessing - [HTTP::uri] which is allowed" } }If you want to test before implementing, to make sure you are putting right actions, put logging first. Something like below,
when HTTP_REQUEST { if { !(([string tolower [HTTP::uri]] starts_with "/abc") or ([string tolower [HTTP::uri]] starts_with "/pqr")) } { log local0. "client=[IP::client_addr] accessing - [HTTP::uri] which is to be blocked with a 403" } else { log local0. "client=[IP::client_addr] accessing - [HTTP::uri] which is allowed" } }
