Forum Discussion
Vova_1985_18320
Nimbostratus
NimbostratusiRule based on domain
Hi im looking for a way to accept traffic with * expression, is it possible?
when HTTP_REQUEST {
if { [string tolower [HTTP::host]] eq "*.example.com*"} {
pool $HTTP_pool
} else {
HTTP::respond 403
}
}
PeteWhiteEmployee
Hi,
you need to use the relevant string comparison - eq is for numbers. You can use contains, ends_with,starts_with,equals, matches_glob & matches_regex.
https://devcentral.f5.com/wiki/iRules.Operators.ashx
Vova_1985_18320So this syntax is right?:
when HTTP_REQUEST { if { [string tolower [HTTP::host]] contains "mydomain.com"} { pool $HTTP_pool } else { HTTP::respond 403 } }- Vova_1985_18320
So this syntax is right?:
when HTTP_REQUEST { if { [string tolower [HTTP::host]] contains "mydomain.com"} { pool $HTTP_pool } else { HTTP::respond 403 } }- PeteWhiteyes, looks good to me
- Vova_1985_18320
Great! Thank you.
Another question, i want to also be able allow traffic by ORIGIN, is it possible? When i say origin i mean the site from where im trying to reach (and i don't mean referrer)
- Vova_1985_18320
This example of how i think it should be, not sure this is the right way to do it:
when HTTP_REQUEST { if { [HTTP::header exists Origin] } { set origin_host [HTTP::header Origin] } } when HTTP_RESPONSE { if { [info exists origin_host] } { if { $origin_host contains "mydomain1.com, mydomain2.com, mydomain3.com" } { pool $HTTP_pool } else { HTTP::respond 403 } } }- PeteWhiterather than having multiple entries in your statement you need to use a datagroup and the class match command. Take a look at https://clouddocs.f5.com/api/irules/class.html and specifically the examples, it's pretty simple to use and very extensible.
- Vova_1985_18320
Thank you for your time, however i don't understand how to fit in in my rule.. maybe someone can help me to write it correctly? Maybe i can do it simpler like this?
when HTTP_REQUEST { if { [HTTP::header exists Origin] } { set origin_host [HTTP::header Origin] } } when HTTP_RESPONSE { if { [info exists origin_host] } { if { $origin_host contains "mydomain1.com" } { pool $HTTP_pool }elsif{ { $origin_host contains "mydomain2.com" } { pool $HTTP_pool }elsif{ { $origin_host contains "mydomain3.com" } { pool $HTTP_pool } else { HTTP::respond 403 } } } - Vova_1985_18320
I ended with this script, however its not working, i don't get any 403 respond nor accept when it spoof the origin, all i get is connection reset, any suggestions?
when HTTP_REQUEST { if { [HTTP::header exists Origin] } { set origin_host [HTTP::header Origin] } } when HTTP_RESPONSE { if { [info exists origin_host] } { if { $origin_host contains "mydomain1.com" } { pool $HTTP_pool } elseif { $origin_host contains "mydomain2.com" } { pool $HTTP_pool } elseif { $origin_host contains "mydomain3.com" } { pool $HTTP_pool } else { HTTP::respond 403 } } else { HTTP::respond 403 } } - PeteWhite
I think this might work better. You need to set the pool in HTTP_REQUEST event, not in response. Obviously this is globbing so in this case the Origin ends with mydomainX.com.
when RULE_INIT { set HTTP_pool "poolname" } when HTTP_REQUEST { if { [HTTP::header exists Origin] } { switch -glob ([string tolower [HTTP::header Origin]]) { "*mydomain1.com" { pool $HTTP_pool } "*mydomain2.com" { pool $HTTP_pool } "*mydomain3.com" { pool $HTTP_pool } default { HTTP::respond 403 } } } } - Vova_1985_18320
Thank you, i will test it now
- Vova_1985_18320
I get syntax error:
01070151:3: Rule [/Common/Origin] error: /Common/Origin:19: error: [Duplicate event/priority][when HTTP_REQUEST { if { [HTTP::header exists Origin] } {set origin_host [HTTP::header Origin]} }]
- PeteWhitei'm able to load it on my lab box OK. Is it part of a larger iRule that already uses the HTTP_REQUEST event? Maybe you can post or send me the whole Origin iRule.