Forum Discussion

JD_Tomzak's avatar
JD_Tomzak
Icon for Cirrus rankCirrus
Sep 15, 2022

Irule advice?

Hello, I'm seeking advice on using an Irule to drop a connection when a certain condition is met in the URI. fid= followed by non numeric charectors. fid=1234 would pass. fid=13d4 would drop. Thanks...
application delivery
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Sep 15, 2022
    when HTTP_REQUEST {
    if { [string tolower [HTTP::query]] contains "fld" } {
        if { ![string is digit [URI::query [HTTP::uri] "fld"]] } {
            log local0. "invalid fld value, rejecting from [IP::client_addr]"
            reject
        }
    }
}
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Sep 19, 2022

    The following accounts for a POST request where the payload is URL encoded or XML:

    when HTTP_REQUEST { 
    if { [HTTP::method] eq "POST" } { 
        ## Trigger collection for up to 1MB of data 
        if { [HTTP::header exists "Content-Length"] && [HTTP::header "Content-Length"] <= 1048576 }{ 
            set content_length [HTTP::header "Content-Length"] 
        } else { 
            set content_length 1048576 
        } 
        ## Check if $content_length is not set to 0 
        if { $content_length > 0 } { 
            HTTP::collect $content_length 
        } 
    } 
} 
when HTTP_REQUEST_DATA { 
    set fld ""
    if { [HTTP::payload] contains "fld=" } {
        foreach x [split [HTTP::payload] "&"] {
            if { $x starts_with "fld=" } {
                set fld [lindex [split $x "="] 1]
                continue
            }
        }
    } elseif { [HTTP::payload] contains "<fld>" } {
        set fld [findstr [HTTP::payload] "<fld>" 5 "</fld>"]
    }
    if { $fld ne "" } {
        if { ![string is digit $fld] } {
            log local0. "invalid fld value, rejecting from [IP::client_addr]"
            HTTP::respond 400 content "Bad Request" "Content-Type" "text/html" "Connection" "close"
        }
    }
}
JD_Tomzak's avatar
JD_Tomzak
Icon for Cirrus rankCirrus

Yes, the Irule,fires, logs, etc. 

When we do this on port 80, I see our error mesage and an orderly connection shutdown. 

When https:, no message is returned and the connection ends with just us sending the rst-ack.

 

Thanks,

Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Sep 16, 2022

Just tested and it appears to work fine for me with an HTTPS VIP (decrypting and re-encrypting).

If you tail the LTM log do you see anything unusual?

tail -f /var/log/ltm
  • JD_Tomzak's avatar
    JD_Tomzak
    Icon for Cirrus rankCirrus
    Sep 16, 2022

    Nope, nothing there. Odd situation...

    Thanks for all help anyway, will get it figured out next week.  I'm about to get started on the weekend. Have a good one!

    -JD