Forum Discussion

PG0581's avatar
PG0581
Icon for Cirrus rankCirrus
Dec 12, 2022

iRule - Block part of a query

Using this example URL: https://abc.com/some-uri.some-extension?func=do-something

How would I go about rejecting any queries containing "do-something"? 

This is what I have tried, and haven't had any luck:

iRule:

    when HTTP_REQUEST {
            if { [class match [string tolower [HTTP::query]] eq data-group-1] }{
            log local0. "Denied query: [IP::client_addr] - [HTTP::query]"
            reject
        }
    }

Data-group:

ltm data-group internal data-group-1 {
    records {
        do-something { }
    }
    type string
}
irule
security
  • CA_Valli's avatar
    CA_Valli
    Dec 13, 2022

    Hello PG0581 , 
    this code should work, and it's exactly how I would build the iRule too. 

    Any reason why you're using "string tolower"? Remember that in this case, your datagroup should be all lowercase characters in order to match. 

    In my lab, this code is working indeed

     

    I would check profiles on your VS .. you need HTTP profile to parse [HTTP::query] info, and if this HTTPS traffic you also need a clientSSL profile in order to see unencrypted data.

  • Omar2's avatar
    Omar2
    Icon for Cirrus rankCirrus
    Dec 13, 2022

    Hello,

    The below simple I-rule do this function and tested in a LAB:

    when HTTP_REQUEST {
    if {[HTTP::uri] contains "do-something"}{
    reject
    }
    }

    • PG0581's avatar
      PG0581
      Icon for Cirrus rankCirrus
      Dec 15, 2022

      Thanks for testing this Omar2 ! I will add this to my notes as another solution.

  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Dec 13, 2022

    Hi PG0581,

    you may check the modified iRule below...

     

    when HTTP_REQUEST {
		if {  [class match -- [URI::query [HTTP::uri -normalized] "func"] equals data-group-1] } then {
		log local0. "Denied query: [IP::client_addr] - param func=[URI::query [HTTP::uri -normalized] "func"]"
		HTTP::respond 403 content "Access Denied" "Content-Type" "text/html"
	}
}

     

    It applies HTTP::uri -nomalization to the request URI, then extracts the URI parameter "func" and then checks the value based on your Data-Group. If the func param is listed in the blacklist, it sends a HTTP 403 Access Denied to the client (slightly better than using a TCP reject). 

     Cheers, Kai

    • PG0581's avatar
      PG0581
      Icon for Cirrus rankCirrus
      Dec 15, 2022

      Thanks for your feedback Kai_Wilke . Interesting way of writing the iRule, and thanks for the tip on sending the 403 back 🙂 I will add this to my notes!

  • PG0581's avatar
    PG0581
    Icon for Cirrus rankCirrus
    Dec 12, 2022

    I also tried modifying the iRule to use "contains" rather than "eq", but no luck there either:

     

        when HTTP_REQUEST {
            if { [class match [string tolower [HTTP::query]] contains data-group-1] }{
            log local0. "Denied query: [IP::client_addr] - [HTTP::query]"
            reject
        }
    }

     

    • CA_Valli's avatar
      CA_Valli
      Icon for MVP rankMVP
      Dec 13, 2022

      Hello PG0581 , 
      this code should work, and it's exactly how I would build the iRule too. 

      Any reason why you're using "string tolower"? Remember that in this case, your datagroup should be all lowercase characters in order to match. 

      In my lab, this code is working indeed

       

      I would check profiles on your VS .. you need HTTP profile to parse [HTTP::query] info, and if this HTTPS traffic you also need a clientSSL profile in order to see unencrypted data.

      • PG0581's avatar
        PG0581
        Icon for Cirrus rankCirrus
        Dec 15, 2022

        Hi CA_Valli ,

        Thanks for testing this. I have typically always used "string tolower", but what I did not realize or had not noticed is the string in the data-group needs to be lowercase as well. Makes total sense! The string in my data-group is not all in lowercase, so I will fix that.