For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

nitass's avatar
nitass
Icon for Employee rankEmployee
Mar 11, 2015

if { ![class match [string tolower [HTTP::uri]] equals denied_uris] } {

is not (!) here correct?

shouldn't it be something like this?

 configuration

root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
    destination 172.28.24.10:80
    ip-protocol tcp
    mask 255.255.255.255
    pool foo
    profiles {
        http { }
        tcp { }
    }
    rules {
        qux
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    vs-index 12
}
root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux
ltm rule qux {
    when HTTP_REQUEST {
  if { [class match [string tolower [HTTP::uri]] starts_with denied_uris] } {
    if { not ([class match [IP::client_addr] equals private_net]) } {
      HTTP::respond 403 content "URL Blocked"
      return
    }
  }
}
}
root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm data-group internal denied_uris
ltm data-group internal denied_uris {
    records {
        /manager { }
    }
    type string
}

 test

[root@ve11c:Active:In Sync] config  curl -I http://172.28.24.10/
HTTP/1.1 200 OK
Date: Wed, 11 Mar 2015 14:47:24 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Sun, 09 Feb 2014 08:39:51 GMT
ETag: "41879c-59-2a9c23c0"
Accept-Ranges: bytes
Content-Length: 89
Content-Type: text/html; charset=UTF-8

[root@ve11c:Active:In Sync] config  curl -I http://172.28.24.10/manager/something
HTTP/1.0 403 Forbidden
Server: BigIP
Connection: Keep-Alive
Content-Length: 11