Forum Discussion
jondyke_46152
Nimbostratus
NimbostratusIrule for restriciting URL paths unsecure
I currenlty use an irule that I use to restrict traffic to certain paths:-
when HTTP_REQUEST {
if {([matchclass [HTTP::uri] starts_with $::securePaths]) and not ([ma...
hoolio
Cirrostratus
CirrostratusIf you add the datagroup items in lower case, you can set the request to lower case before using matchclass to test the URI. Also, it would be more efficient to use HTTP::path versus HTTP::uri assuming you're not looking for the query string in the URI.
when HTTP_REQUEST {
if {[matchclass [string tolower [HTTP::path]]...
If you're doing this for security, you might want to consider the different ways malicious users could try to obfuscate the path. The simplest way to bypass your logic might be to prepend an extra forward slash. I think most versions of IIS will accept this. For example this request to MS's main page works: http://www.microsoft.com//////////en/us/default.aspx. There are quite a few different encoding methods that would also be parsed as valid requests by the web server.
Hopefully you're performing authentication/authorization on the application as well.
Aaron
