iRule - Block part of a query

Using this example URL: https://abc.com/some-uri.some-extension?func=do-something

How would I go about rejecting any queries containing "do-something"?

This is what I have tried, and haven't had any luck:

iRule:

    when HTTP_REQUEST {
            if { [class match [string tolower [HTTP::query]] eq data-group-1] }{
            log local0. "Denied query: [IP::client_addr] - [HTTP::query]"
            reject
        }
    }

Data-group:

ltm data-group internal data-group-1 {
    records {
        do-something { }
    }
    type string
}

irule

security

CA_Valli
Dec 13, 2022
Hello PG0581 ,
this code should work, and it's exactly how I would build the iRule too.
Any reason why you're using "string tolower"? Remember that in this case, your datagroup should be all lowercase characters in order to match.
In my lab, this code is working indeed

I would check profiles on your VS .. you need HTTP profile to parse [HTTP::query] info, and if this HTTPS traffic you also need a clientSSL profile in order to see unencrypted data.

Omar2
Cirrus
Dec 13, 2022
Hello,
The below simple I-rule do this function and tested in a LAB:
when HTTP_REQUEST {
if {[HTTP::uri] contains "do-something"}{
reject
}
}
- PG0581
  Cirrus
  Dec 15, 2022
  Thanks for testing this Omar2 ! I will add this to my notes as another solution.
Kai_Wilke
MVP
Dec 13, 2022
Hi PG0581,

you may check the modified iRule below...

when HTTP_REQUEST { if { [class match -- [URI::query [HTTP::uri -normalized] "func"] equals data-group-1] } then { log local0. "Denied query: [IP::client_addr] - param func=[URI::query [HTTP::uri -normalized] "func"]" HTTP::respond 403 content "Access Denied" "Content-Type" "text/html" } }

It applies HTTP::uri -nomalization to the request URI, then extracts the URI parameter "func" and then checks the value based on your Data-Group. If the func param is listed in the blacklist, it sends a HTTP 403 Access Denied to the client (slightly better than using a TCP reject).

Cheers, Kai
- PG0581
  Cirrus
  Dec 15, 2022
  Thanks for your feedback Kai_Wilke . Interesting way of writing the iRule, and thanks for the tip on sending the 403 back 🙂 I will add this to my notes!
PG0581
Cirrus
Dec 12, 2022
I also tried modifying the iRule to use "contains" rather than "eq", but no luck there either:

when HTTP_REQUEST { if { [class match [string tolower [HTTP::query]] contains data-group-1] }{ log local0. "Denied query: [IP::client_addr] - [HTTP::query]" reject } }
- CA_Valli
  MVP
  Dec 13, 2022
  Hello PG0581 ,
  this code should work, and it's exactly how I would build the iRule too.
  Any reason why you're using "string tolower"? Remember that in this case, your datagroup should be all lowercase characters in order to match.
  In my lab, this code is working indeed
  
  I would check profiles on your VS .. you need HTTP profile to parse [HTTP::query] info, and if this HTTPS traffic you also need a clientSSL profile in order to see unencrypted data.
  - PG0581
    Cirrus
    Dec 15, 2022
    Hi CA_Valli ,
    Thanks for testing this. I have typically always used "string tolower", but what I did not realize or had not noticed is the string in the data-group needs to be lowercase as well. Makes total sense! The string in my data-group is not all in lowercase, so I will fix that.