Forum Discussion

ant77's avatar
ant77
Icon for Cirrostratus rankCirrostratus
Apr 10, 2020

iRule and Data group URI wildcard matching not working

Hi All,

Can anyone let me know what the issue is here. I am trying to match using a wildcard or anything beyond the top level URI and it's not working

It seems the data group string is only specific only, and anything beyond that it doesn't work.

So what i am trying to do is look at the top level URI (/APP1), and if there is anything beyond that, allow. It should allow at the top level /APP1

and does not care any URI beyond that...

Example not working going beyond the top level URI /APP1:

HTTPS://mysite.com/APP1/ABC/123/home.html

We all know that a site does not end at just the top level /APP1/, as it can go beyond that with the other folders/URI. I just want to

match the top level, and allow anything beyond that. The irule seems to look for only /APP1/ and if you have /APP1/ABC/..... it does not work.

Match or wild card in data group:

/APP1/*

/APP2/*

/APP3/*

Is there a better way to do this within the irule itself for the URIs?

Thanks!


when HTTP_REQUEST {
if [class match [IP::client_addr] equals DG1-BLOCKED-SUBNETS] {
if { not ([HTTP::uri] equals DG2-ALLOWED-URIs]) } {
reject
  }
 }
}



ltm data-group internal DG1-BLOCKED-SUBNETS {
records {
10.100.100.0/24 { }
10.200.200.0/24 { }
}
type ip
}


ltm data-group internal DG2-ALLOWED-URIs {
records {
/APP1/* { }
/APP2/*{ }
/APP3/*{ }
}
type string
}
application delivery
BIG-IP
iRules
  • ldesfosses's avatar
    ldesfosses
    Icon for Cirrus rankCirrus
    Apr 10, 2020

    I think you want to check if you URI "start with" something, so I would use :

    starts_with

    if { not ([HTTP::uri] starts_with DG2-ALLOWED-URIs]) } {

    Let me know if it's OK for you.

    • ant77's avatar
      ant77
      Icon for Cirrostratus rankCirrostratus
      Apr 10, 2020

      Added the "starts_with" and still same thing, no good. Is it better to call the URIs and wildcard within the irule or from a data group?

       

      For example, i am trying to go to the URL below.

      I have /APP1/* in the data group, so the irule should allow me to come in if i match the /APP1 and anything beyond that.

       

      HTTPS://mysite.com/APP1/home.html

       

      Thanks!

       

      • ldesfosses's avatar
        ldesfosses
        Icon for Cirrus rankCirrus
        Apr 10, 2020

        In the datagroup, you should have : /APP1/ , not /APP1/*.

         

        Regarding the if it's better to call the URIs in the iRule or a datagroup, IMO, it depend on how many times the URIs will be added or removed and the number of entry.

         

        For just 3 that will never change, I would do it in the iRule, because it'll easiest for some persons to maintain. If you have a lot of URIs and it'll change, I'll do it in a data group, it'll be easy to just add/remove stuff from the data group for an untrained technician.