Forum Discussion

Cirrus

Sep 15, 2022

Solved

Irule advice?

Hello, I'm seeking advice on using an Irule to drop a connection when a certain condition is met in the URI. fid= followed by non numeric charectors. fid=1234 would pass. fid=13d4 would drop. Thanks...

application delivery

Kevin_Stewart

Sep 15, 2022

when HTTP_REQUEST {
    if { [string tolower [HTTP::query]] contains "fld" } {
        if { ![string is digit [URI::query [HTTP::uri] "fld"]] } {
            log local0. "invalid fld value, rejecting from [IP::client_addr]"
            reject
        }
    }
}

Kevin_Stewart

Sep 19, 2022

The following accounts for a POST request where the payload is URL encoded or XML:

when HTTP_REQUEST { 
    if { [HTTP::method] eq "POST" } { 
        ## Trigger collection for up to 1MB of data 
        if { [HTTP::header exists "Content-Length"] && [HTTP::header "Content-Length"] <= 1048576 }{ 
            set content_length [HTTP::header "Content-Length"] 
        } else { 
            set content_length 1048576 
        } 
        ## Check if $content_length is not set to 0 
        if { $content_length > 0 } { 
            HTTP::collect $content_length 
        } 
    } 
} 
when HTTP_REQUEST_DATA { 
    set fld ""
    if { [HTTP::payload] contains "fld=" } {
        foreach x [split [HTTP::payload] "&"] {
            if { $x starts_with "fld=" } {
                set fld [lindex [split $x "="] 1]
                continue
            }
        }
    } elseif { [HTTP::payload] contains "<fld>" } {
        set fld [findstr [HTTP::payload] "<fld>" 5 "</fld>"]
    }
    if { $fld ne "" } {
        if { ![string is digit $fld] } {
            log local0. "invalid fld value, rejecting from [IP::client_addr]"
            HTTP::respond 400 content "Bad Request" "Content-Type" "text/html" "Connection" "close"
        }
    }
}

Kevin_Stewart

Employee

Sep 15, 2022

Try this:

when HTTP_REQUEST {
    if { [string tolower [HTTP::query]] contains "fld" } {
        if { ![string is digit [URI::query [HTTP::uri] "fld"]] } {
            log local0. "invalid char"
        }
    }
}

JD_Tomzak
Cirrus
Sep 15, 2022
That works well! Thanks
So the idea is to drop these connections and not send to the pool. Maybe send a 403 too. Thoughts?
-JD
- Kevin_Stewart
  Employee
  Sep 15, 2022
  Just replace the log statement with whatever you want.
  
  Reject/drop
  
  HTTP response
JD_Tomzak
Cirrus
Sep 15, 2022
Thanks for all of the help Kevin!
One last thought, any idea why the = is not in play? (fld=) Ignored? Also, how would this work if the digits were in front of fld instead of behind it? (12345=fld)
Just asking as I aim to get a better understanding of Irules in each of these engagements. Non programer, network guy...
- Kevin_Stewart
  Employee
  Sep 15, 2022
  You're using URI::query and HTTP::query to get to the querystring values in an HTTP request. Example:
  
  https://www.example.com/foo?fld=1234&bar=blah&this=that
  
  The querystring is fld=1234&bar=blah&this=that. The above two commands conveniently let you pull apart the key-value pairs. I don't think there'd ever be a situation where you'd see 1234=fld, unless 1234 was the key. HTTP requires a specific format for querystrings where key=value (never value=key).
  - JD_Tomzak
    Cirrus
    Sep 15, 2022
    Now I see what I'm missing. Need better understanding of what makes up an HTTP request. Off to the youtubes then...
    Thanks,