Forum Discussion

JD_Tomzak's avatar
JD_Tomzak
Icon for Cirrus rankCirrus
Sep 15, 2022

Irule advice?

Hello, I'm seeking advice on using an Irule to drop a connection when a certain condition is met in the URI. fid= followed by non numeric charectors. fid=1234 would pass. fid=13d4 would drop. Thanks...
application delivery
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Sep 15, 2022
    when HTTP_REQUEST {
    if { [string tolower [HTTP::query]] contains "fld" } {
        if { ![string is digit [URI::query [HTTP::uri] "fld"]] } {
            log local0. "invalid fld value, rejecting from [IP::client_addr]"
            reject
        }
    }
}
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Sep 19, 2022

    The following accounts for a POST request where the payload is URL encoded or XML:

    when HTTP_REQUEST { 
    if { [HTTP::method] eq "POST" } { 
        ## Trigger collection for up to 1MB of data 
        if { [HTTP::header exists "Content-Length"] && [HTTP::header "Content-Length"] <= 1048576 }{ 
            set content_length [HTTP::header "Content-Length"] 
        } else { 
            set content_length 1048576 
        } 
        ## Check if $content_length is not set to 0 
        if { $content_length > 0 } { 
            HTTP::collect $content_length 
        } 
    } 
} 
when HTTP_REQUEST_DATA { 
    set fld ""
    if { [HTTP::payload] contains "fld=" } {
        foreach x [split [HTTP::payload] "&"] {
            if { $x starts_with "fld=" } {
                set fld [lindex [split $x "="] 1]
                continue
            }
        }
    } elseif { [HTTP::payload] contains "<fld>" } {
        set fld [findstr [HTTP::payload] "<fld>" 5 "</fld>"]
    }
    if { $fld ne "" } {
        if { ![string is digit $fld] } {
            log local0. "invalid fld value, rejecting from [IP::client_addr]"
            HTTP::respond 400 content "Bad Request" "Content-Type" "text/html" "Connection" "close"
        }
    }
}
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Sep 15, 2022

Try this:

when HTTP_REQUEST {
    if { [string tolower [HTTP::query]] contains "fld" } {
        if { ![string is digit [URI::query [HTTP::uri] "fld"]] } {
            log local0. "invalid char"
        }
    }
}
  • JD_Tomzak's avatar
    JD_Tomzak
    Icon for Cirrus rankCirrus
    Sep 15, 2022

    Thanks for all of the help Kevin!

    One last thought, any idea why the = is not in play? (fld=) Ignored? Also, how would this work if the digits were in front of fld instead of behind it? (12345=fld) 

    Just asking as I aim to get a better understanding of Irules in each of these engagements. Non programer, network guy...

     

    • Kevin_Stewart's avatar
      Kevin_Stewart
      Icon for Employee rankEmployee
      Sep 15, 2022

      You're using URI::query and HTTP::query to get to the querystring values in an HTTP request. Example:

      https://www.example.com/foo?fld=1234&bar=blah&this=that

      The querystring is fld=1234&bar=blah&this=that. The above two commands conveniently let you pull apart the key-value pairs. I don't think there'd ever be a situation where you'd see 1234=fld, unless 1234 was the key. HTTP requires a specific format for querystrings where key=value (never value=key).

      • JD_Tomzak's avatar
        JD_Tomzak
        Icon for Cirrus rankCirrus
        Sep 15, 2022

        Now I see what I'm missing. Need better understanding of what makes up an HTTP request. Off to the youtubes then...

        Thanks,

  • JD_Tomzak's avatar
    JD_Tomzak
    Icon for Cirrus rankCirrus
    Sep 15, 2022

    That works well! Thanks

    So the idea is to drop these connections and not send to the pool. Maybe send a 403 too. Thoughts?

    -JD

    • Kevin_Stewart's avatar
      Kevin_Stewart
      Icon for Employee rankEmployee
      Sep 15, 2022

      Just replace the log statement with whatever you want.

      • Reject/drop
      • HTTP response