Forum Discussion

Dave_22402's avatar
Dave_22402
Icon for Nimbostratus rankNimbostratus
Mar 16, 2010

irule based on ip and url

I am trying to construct an Irule that first checks for a url and then allows access based on IP.

 

 

Example -

 

 

if the url is "/foo/*" and IP = 123.123.123.123

 

then go to this pool, if not go to bad pool and deny access or drop.
application delivery
dev
devops
iRules
  • Dave_22402's avatar
    Dave_22402
    Icon for Nimbostratus rankNimbostratus
    Mar 16, 2010
    also there may be 15 or so ip addresses and possibly networks involved.
  • Dave_22402's avatar
    Dave_22402
    Icon for Nimbostratus rankNimbostratus
    Mar 16, 2010
    when HTTP_REQUEST {

     

    switch [HTTP::host] {

     

    "123.123.123.123" {

     

    switch -glob [string tolower [HTTP::uri]] {

     

    "/foo/*" { pool good_pool}

     

    "*" { pool other_good_pool}

     

    }

     

    }

     

    "*" {

     

    switch -glob [string tolower [HTTP::uri]] {

     

    "/foo/*" { pool bad_pool}

     

    "*" { pool other_good_pool}

     

    }

     

    }

     

    }

     

    }
  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Mar 16, 2010
    Which do you want, to send to bad pool, or discard? I think what you want is: 

      
  when HTTP_REQUEST {  
    if { ([string tolower [HTTP::uri]] starts_with "/foo/") && [matchclass [IP::client_addr] equals allowed_IPs] } {  
  pool good_pool  
    } else {  
    discard  
    }  
  }

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Mar 17, 2010
    Keep in mind that an attacker could probably bypass this iRule validation very simply using URL obfuscation techniques like:

     

     

    /not_foo/../foo/

     

    //foo/

     

     

    See this post for more examples:

     

     

    http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&tpage=1&view=topic&postid=3090031324

     

     

    Aaron
  • Austin_Geraci's avatar
    Austin_Geraci
    Icon for MVP rankMVP
    Mar 17, 2010
    Ahh indeed...

     

     

    So it looks like you can stop most of the URL obfuscations... but not all with IP restrict lists?
  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Mar 17, 2010
    The attacker would have to come from the specified range of ip's, though. And yes, you'd need to create the "allowed_IPs" datagroup. Sorry for leaving that detail out.
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Mar 17, 2010
    If an attacker bypasses the URI check then it wouldn't matter which IP address they make the request from as it's a logical AND in the iRule.

     

     

    Aaron
  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Mar 17, 2010
    Using //foo/ and /foo/../not_foo from curl, first doesn't work at all, second only works when my IP address is out of range, as I'd expect. I guess I'm a little dense in not understanding. How would the URI check be bypassed? The conditional is expecting a string, it matches or it doesn't. If it does, then the IP address also has to match. If it doesn't, it doesn't matter what the IP is, the rule moves on to the else statements.
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Mar 17, 2010
    Some of the URL obfuscation techniques only work on IIS. For example, this request does work on microsoft.com to make a request for /en/us/default.asp:

     

     

    curl -v www.microsoft.com/doesnt_exist/../en/us/default.asp

     

     

    Google's web server (apache-based?) does not normalize a request like this from /doesnt_exist/.. to /

     

     

    curl -v www.google.co.uk/doesnt_exist/..

     

     

    But you should be able to use percent encoding and other methods for Apache.

     

     

    If the URI check doesn't match, then the IP won't be checked for the request as the two checks are being AND'd.

     

     

    Aaron