Forum Discussion
IRule for Exact resource access rejection
- Oct 22, 2020
Hello NetWork.
Actually the previous sentence has a mistake. It should be like this.
set uri [getfield [HTTP::uri] "?" 1]
This is used to remove de Query parameter of the URI. For example if you receive something like this:
/mrj/home/srt/portal/prtroot/com.dev.net.sendemail?myuser=john
Taking into account that you need to reject any URI related with
/mrj/home/srt/portal/prtroot/com.dev.net.sendemail*
Then you should use "starts_with" instead of "ends_with", and the sentence before would not be necessary.
Your iRule should be like this:
when HTTP_REQUEST { if { [HTTP::uri] == "/" } { HTTP::redirect "http://[HTTP::host]/mrj" } elseif { [string tolower [HTTP::uri]] starts_with "/mrj/home/srt/portal/prtroot/com.dev.net.sendemail" } { reject } elseif { [string tolower [HTTP::uri]] starts_with "/mrj" or [string tolower [HTTP::uri]] starts_with "/web" or [string tolower [HTTP::uri]] starts_with "/htmlb" } { pool pool-A } elseif { [string tolower [HTTP::uri]] starts_with "/abc" } { pool pool-B } elseif { [string tolower [HTTP::uri]] starts_with "/" } {reject} }
Please, if this was helpful don't forget to mark my answer as 'the best' to help me for the contribution.
Regards,
Dario.
Hello NetWork.
Yes, it's feasible. Try this:
when HTTP_REQUEST {
set uri [getfield [HTTP::uri] "?" 2]
if { $uri ends_with "/mrj/home/srt/portal/prtroot/com.dev.net.sendemail" } { reject }
}
Regards,
Dario.
- NetWorkOct 22, 2020Nimbostratus
Hi Dario,
Thanks a lot for your response!
Below is our existing and working iRule:
when HTTP_REQUEST {
if { [HTTP::uri] == "/" } { HTTP::redirect "http://[HTTP::host]/mrj" }
elseif { [string tolower [HTTP::uri]] starts_with "/mrj" or [string tolower [HTTP::uri]] starts_with "/web" or [string tolower [HTTP::uri]] starts_with "/htmlb" }
{ pool pool-A }
elseif { [string tolower [HTTP::uri]] starts_with "/abc" }
{ pool pool-B }
elseif { [string tolower [HTTP::uri]] starts_with "/" }
{reject}
}
If we modify it as below, will it work?
when HTTP_REQUEST {
set uri [getfield [HTTP::uri] "?" 2]
if { [HTTP::uri] == "/" } { HTTP::redirect "http://[HTTP::host]/mrj" }
elseif { $uri ends_with "/mrj/home/srt/portal/prtroot/com.dev.net.sendemail" }
{ reject }
elseif { [string tolower [HTTP::uri]] starts_with "/mrj" or [string tolower [HTTP::uri]] starts_with "/web" or [string tolower [HTTP::uri]] starts_with "/htmlb" }
{ pool pool-A }
elseif { [string tolower [HTTP::uri]] starts_with "/abc" }
{ pool pool-B }
elseif { [string tolower [HTTP::uri]] starts_with "/" }
{reject}
}
Also, can you please help to understand why we need to put "2" in set uri [getfield [HTTP::uri] "?" 2] ??
And, in case if we want to reject anything after sendemail i.e /mrj/home/srt/portal/prtroot/com.dev.net.sendemail*, how that can be achieved.
- Oct 22, 2020
Hello NetWork.
Actually the previous sentence has a mistake. It should be like this.
set uri [getfield [HTTP::uri] "?" 1]
This is used to remove de Query parameter of the URI. For example if you receive something like this:
/mrj/home/srt/portal/prtroot/com.dev.net.sendemail?myuser=john
Taking into account that you need to reject any URI related with
/mrj/home/srt/portal/prtroot/com.dev.net.sendemail*
Then you should use "starts_with" instead of "ends_with", and the sentence before would not be necessary.
Your iRule should be like this:
when HTTP_REQUEST { if { [HTTP::uri] == "/" } { HTTP::redirect "http://[HTTP::host]/mrj" } elseif { [string tolower [HTTP::uri]] starts_with "/mrj/home/srt/portal/prtroot/com.dev.net.sendemail" } { reject } elseif { [string tolower [HTTP::uri]] starts_with "/mrj" or [string tolower [HTTP::uri]] starts_with "/web" or [string tolower [HTTP::uri]] starts_with "/htmlb" } { pool pool-A } elseif { [string tolower [HTTP::uri]] starts_with "/abc" } { pool pool-B } elseif { [string tolower [HTTP::uri]] starts_with "/" } {reject} }
Please, if this was helpful don't forget to mark my answer as 'the best' to help me for the contribution.
Regards,
Dario.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com