Forum Discussion

Aziz-90s's avatar
Aziz-90s
Icon for Altocumulus rankAltocumulus
Dec 05, 2022

irule block uri for external users when url has special characters such as $

Hi all

I've tried an irule on VIP for the website example to block the uri for external users only example /_api/$metadata I need to block this path /_api/$metadata 

so what I tried is 

When HTTP_REQUEST {

    if { [HTTP::host] equals"example"} {

       if {[string tolower [HTTP::uri]] starts_with "/_api/$metadata" }{

   if {  not ([class match [IP::remote_addr]  equals private_net]) }{

# reject

    }

} 

}

Noting a couple of things 

1/ when I applied it the web went down even though the REJECT is written as a comment in the irule 

2/ there are two policies a WAF policy & redirect policy applied to VIP so I thought it might be the reason, I removed the policies  and tried irule same results web went down even when reject is a comment 

besides I really wants to use irule, i red that we can use policy but never tried. I'd love to know my mistakes in irule 

can anyone tell me what i missed and if could explain why

thanks

 

application delivery
security
  • AlexBCT's avatar
    AlexBCT
    Dec 05, 2022

    Hi Aziz, 

    Two things that I noticed in the iRule; 

    1. there is no space between equals"example"} - although I suspect this is just an edit error for the question here, I thought I'd mention it, just in case... 😉 

    2. "/_api/$metadata" - are you referring an iRule variable or is this part of the actual URI? If it is a variable, where is it exactly declared? If part of the URI, the iRule will probably think it's a variable and interpret as such. To avoid this behaviour, try putting a backslash in front of it to clearly tell the iRule to take is as its literal value. ( "/_api/\$metadata" ) 

    If the above two things didn't help, did you see any messages in the ltm log? (/var/log/ltm) and what is the behaviour when connecting from inside a private net or outside? Lastly, any chance of any proxies in between that are always hiding behind an outside address? 

    Regarding Local Traffic Policies; yes, they are brilliant and often a great replacement for basic iRules (...but iRules are still awesome!). I think your example might indeed be a good one for an LTP. Have a look here: https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/local-traffic-policies-getting-started-12-1-0/1.html but also just give it a go in the F5 GUI and you'll be able to figure it out quickly. (go to Local Traffic - Policies - Create new policy)

    Hope one of these tips helps. 

    Alex 

  • Aziz-90s's avatar
    Aziz-90s
    Dec 05, 2022

    Hi Alex

    Thanks for replying 

     The /_api/$metadata is part of uri,

    also I forgot to mention that I did a little research about special characters in uri

    and it turns out that we could somehow avoid or resolve this issue by using a syntax Set_encode something like that 

    have u hear any thing like this.

    I'll try ur suggestions & reply back

    much appreciated 

  • AlexBCT's avatar
    AlexBCT
    Icon for Cumulonimbus rankCumulonimbus
    Dec 05, 2022

    Hi Aziz, 

    Two things that I noticed in the iRule; 

    1. there is no space between equals"example"} - although I suspect this is just an edit error for the question here, I thought I'd mention it, just in case... 😉 

    2. "/_api/$metadata" - are you referring an iRule variable or is this part of the actual URI? If it is a variable, where is it exactly declared? If part of the URI, the iRule will probably think it's a variable and interpret as such. To avoid this behaviour, try putting a backslash in front of it to clearly tell the iRule to take is as its literal value. ( "/_api/\$metadata" ) 

    If the above two things didn't help, did you see any messages in the ltm log? (/var/log/ltm) and what is the behaviour when connecting from inside a private net or outside? Lastly, any chance of any proxies in between that are always hiding behind an outside address? 

    Regarding Local Traffic Policies; yes, they are brilliant and often a great replacement for basic iRules (...but iRules are still awesome!). I think your example might indeed be a good one for an LTP. Have a look here: https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/local-traffic-policies-getting-started-12-1-0/1.html but also just give it a go in the F5 GUI and you'll be able to figure it out quickly. (go to Local Traffic - Policies - Create new policy)

    Hope one of these tips helps. 

    Alex 

    • Aziz-90s's avatar
      Aziz-90s
      Icon for Altocumulus rankAltocumulus
      Dec 05, 2022

      Hi Alex

      Thanks for replying 

       The /_api/$metadata is part of uri,

      also I forgot to mention that I did a little research about special characters in uri

      and it turns out that we could somehow avoid or resolve this issue by using a syntax Set_encode something like that 

      have u hear any thing like this.

      I'll try ur suggestions & reply back

      much appreciated 

      • PeteWhite's avatar
        PeteWhite
        Icon for Employee rankEmployee
        Dec 06, 2022
         if {[string tolower [HTTP::uri]] starts_with {/_api/$metadata} }{