irule based on ip and url

also there may be 15 or so ip addresses and possibly networks involved.

when HTTP_REQUEST {

 

switch [HTTP::host] {

 

"123.123.123.123" {

 

switch -glob [string tolower [HTTP::uri]] {

 

"/foo/*" { pool good_pool}

 

"*" { pool other_good_pool}

 

}

 

}

 

"*" {

 

switch -glob [string tolower [HTTP::uri]] {

 

"/foo/*" { pool bad_pool}

 

"*" { pool other_good_pool}

 

}

 

}

 

}

 

}

this is on LTM 9.4.5

Which do you want, to send to bad pool, or discard? I think what you want is:

  
  when HTTP_REQUEST {  
    if { ([string tolower [HTTP::uri]] starts_with "/foo/") && [matchclass [IP::client_addr] equals allowed_IPs] } {  
  pool good_pool  
    } else {  
    discard  
    }  
  }  
  

Keep in mind that an attacker could probably bypass this iRule validation very simply using URL obfuscation techniques like:

 

 

/not_foo/../foo/

 

//foo/

 

 

See this post for more examples:

 

 

http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&tpage=1&view=topic&postid=3090031324

 

 

Aaron

Ahh indeed...

 

 

So it looks like you can stop most of the URL obfuscations... but not all with IP restrict lists?

The attacker would have to come from the specified range of ip's, though. And yes, you'd need to create the "allowed_IPs" datagroup. Sorry for leaving that detail out.

If an attacker bypasses the URI check then it wouldn't matter which IP address they make the request from as it's a logical AND in the iRule.

 

 

Aaron

Using //foo/ and /foo/../not_foo from curl, first doesn't work at all, second only works when my IP address is out of range, as I'd expect. I guess I'm a little dense in not understanding. How would the URI check be bypassed? The conditional is expecting a string, it matches or it doesn't. If it does, then the IP address also has to match. If it doesn't, it doesn't matter what the IP is, the rule moves on to the else statements.

Some of the URL obfuscation techniques only work on IIS. For example, this request does work on microsoft.com to make a request for /en/us/default.asp:

 

 

curl -v www.microsoft.com/doesnt_exist/../en/us/default.asp

 

 

Google's web server (apache-based?) does not normalize a request like this from /doesnt_exist/.. to /

 

 

curl -v www.google.co.uk/doesnt_exist/..

 

 

But you should be able to use percent encoding and other methods for Apache.

 

 

If the URI check doesn't match, then the IP won't be checked for the request as the two checks are being AND'd.

 

 

Aaron