irule block uri for external users when url has special characters such as $
Hi all
I've tried an irule on VIP for the website example to block the uri for external users only example /_api/$metadata I need to block this path /_api/$metadata
so what I tried is
When HTTP_REQUEST {
if { [HTTP::host] equals"example"} {
if {[string tolower [HTTP::uri]] starts_with "/_api/$metadata" }{
if { not ([class match [IP::remote_addr] equals private_net]) }{
# reject
}
}
}
Noting a couple of things
1/ when I applied it the web went down even though the REJECT is written as a comment in the irule
2/ there are two policies a WAF policy & redirect policy applied to VIP so I thought it might be the reason, I removed the policies and tried irule same results web went down even when reject is a comment
besides I really wants to use irule, i red that we can use policy but never tried. I'd love to know my mistakes in irule
can anyone tell me what i missed and if could explain why
thanks
Hi Aziz,
Two things that I noticed in the iRule;
1. there is no space between equals"example"} - although I suspect this is just an edit error for the question here, I thought I'd mention it, just in case... đ
2. "/_api/$metadata" - are you referring an iRule variable or is this part of the actual URI? If it is a variable, where is it exactly declared? If part of the URI, the iRule will probably think it's a variable and interpret as such. To avoid this behaviour, try putting a backslash in front of it to clearly tell the iRule to take is as its literal value. ( "/_api/\$metadata" )
If the above two things didn't help, did you see any messages in the ltm log? (/var/log/ltm) and what is the behaviour when connecting from inside a private net or outside? Lastly, any chance of any proxies in between that are always hiding behind an outside address?
Regarding Local Traffic Policies; yes, they are brilliant and often a great replacement for basic iRules (...but iRules are still awesome!). I think your example might indeed be a good one for an LTP. Have a look here: https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/local-traffic-policies-getting-started-12-1-0/1.html but also just give it a go in the F5 GUI and you'll be able to figure it out quickly. (go to Local Traffic - Policies - Create new policy)
Hope one of these tips helps.
Alex
Hi Alex
Thanks for replying
The /_api/$metadata is part of uri,
also I forgot to mention that I did a little research about special characters in uri
and it turns out that we could somehow avoid or resolve this issue by using a syntax Set_encode something like that
have u hear any thing like this.
I'll try ur suggestions & reply back
much appreciated