Forum Discussion
OviShare_69630
Nimbostratus
NimbostratusIgnore a rule
I am trying to create a rule where certain content is blocked from being accessed outside of my site. I tried this rule:
when HTTP_REQUEST {
if {[matchclass [HTTP::uri] contains $::restricted_URL_datagroup]} {
Block content
HTTP::respond 404 content ""
}
}
But that blocked all the content, including when it is accessed from my site. So I tried this rule:
when HTTP_REQUEST {
if {[matchclass [HTTP::host] ends_with ".mysite.com"]} {
Do nothing
}
elseif {[matchclass [HTTP::uri] contains $::restricted_URL_datagroup]} {
Block content
HTTP::respond 404 content ""
}
}
And that effectively took my entire site down. What would be the proper way for me to write this rule?
- The_BhattmanWhat is contained within ::restricted_URL_datagroup?
CB 
OviShare_69630Something like "/dir/my_content.jpg"
Such that HTTP:uri would be like "/a_dir/another_dir/dir/my_content.jpg"- The_BhattmanWhat about
when HTTP_REQUEST { if {[matchclass [HTTP::uri] ends_with $::restricted_URL_datagroup]} { discard } }
CB - OviShare_69630If I understand the discard statement correctly, that would also block all access to the content even when it is accessed from within my site. I need to make an exception (i.e. ignore the rule) for all content accessed from within my site.
- OviShare_69630This is really confusing to me. I tried this rule:
when HTTP_REQUEST {
if {not [matchclass [HTTP::header "Referer"] contains ".mysite.com"]} {
}
}
And it blocked all access to the site entirely. It is as if not including an action just drops the connection altogether. That should not be. - The_BhattmanTry something simple first
when HTTP_REQUEST { if {[HTTP::uri] ends_with "/dir/my_content.jpg" } { discard } }
CB 
tarsier_90410OviShare, if I understand your initial question correctly, you want the script to allow access to some paths on your application server but not all. Is that correct?- tarsier_90410OviShare, if I understand your initial question correctly, you want the script to allow access to some paths on your application server but not all. Is that correct?
- tarsier_90410OviShare, if I understand your initial question correctly, you want the script to allow access to some paths on your application server but not all. Is that correct?
- OviShare_69630I figured out my problem. This code:
when HTTP_REQUEST {
if {not [matchclass [HTTP::header "Referer"] contains ".mysite.com"]} {
}
}
Is incorrect. I should not have been using "matchclass" in this case, and thus the broken code was blocking all traffic.
For posterity's sake, here is my working code:
when HTTP_REQUEST {
set refer_host [string tolower [HTTP::header Referer]]
if { ( not ($refer_host contains ".mydomain.com") ) and
( not ($refer_host contains ".myotherdomain.com") ) and
( [matchclass [string tolower [HTTP::path]] contains $::restricted_URL_datagroup] ) } {
Block content
HTTP::respond 404 content ""
}
}
