Forum Discussion
jokragly
Nimbostratus
NimbostratusiRule for URI ACL
Good afternoon. We are getting desperate trying to find a solution to allow specific URIs and deny all other traffic.
Basically what we are after is to allow access to 5 specific directories and the things within those directories but if someone tries to go to a URI that is not allowed then they get a denied message from the F5 with the URI path that is denied.
mycompany.com/Login/*
mycompany.com/Dealer/*
mycompany.com/Image/*
mycompany.com/User/*
mycompany.com/Help/*
Should this be done in an iRule? If so how? Is it possible to do this as an http class or data group with match only? I can list the URI Strings in a http class and assign that class to the Virtual Server but an invalid page is response is coming from the web server not the F5 deny because it doesn't match our allowed paths in the http class we created.
Any and all help would be greatly appreciated.
Thanks,
Jeff
18 Replies
L4L7_53191Jeff: This should be a clean and easy problem to solve. I'd go with a datagroup here, as it'll be a bit cleaner to manage as you add/remove URIs. I'm not able to give you examples or links (on a plane, shutting down my laptop!), but do a search or two on URI switching/acls using datagroups and you'll be off to a good start.
-Matt- Hi Jeff,
Something like this might do the trick:rule mycompany_url_acl { when HTTP_REQUEST { if { ![matchclass [HTTP::path] starts_with $::mycompany_allowed_urls] } { HTTP::redirect http://mycompany.com/sorry_url.html } } }
You'll also need a datagroup called "mycompany_allowed_urls". This is what it looks like in my bugip.conf:class mycompany_allowed_urls { { "/Dealer/" "/Help/" "/Image/" "/Login/" "/User/" } }
Hope this helps,
George - One note: I used matchclass (http://devcentral.f5.com/Wiki/default.aspx/iRules.matchclass) here, which has been deprecated in favor of the class command (http://devcentral.f5.com/Wiki/default.aspx/iRules.class) in version 10. The equivalent code using the class command would look like this:
when HTTP_REQUEST { if { ![class match [HTTP::path] starts_with $::mycompany_allowed_urls] } { HTTP::redirect http://mycompany.com/sorry_url.html } }
-George 
jokraglyGood morning George, thanks for the reply. I have attempted your solution but it doesn't seem to work. I created a datagroup "blue" with the strings as
"/Dealer/"
"/Help/"
"/Image/"
"/Login/"
"/User/"
I am new to this but is a value required when adding these strings to the group?
The iRule I used is this
when HTTP_REQUEST {
if { ![class match [HTTPS::path] starts_with $::blue] } {
HTTP::redirect http://www.google.com/
}
}
When I go to https://mycompany.com/test it should direct to google.com but just gives a page cannot be found page from the webserver.
Also this is a 443 request as we have a redirect iRule for the 80 traffic to be routed to 443.
Thanks for the help and I look forward to a response- Chris_Miller
Altostratus
Are you terminating the SSL connection on your F5?
I'd do this, assuming you're terminating the SSL and can see the request in cleartext.when HTTP_REQUEST { if { ![class match [HTTP::uri] starts_with blue] } { HTTP::redirect "http://www.google.com/" } } - jokraglyChris, yes we are terminating the SSL connection on the F5.
I am getting closer. It is definatly reading the iRule but I am not so sure it is triggering the data group and the defaul landing page is in the data group but the page continues to redirect.
landing page: I have this exact string added to the blue data group with no luck, it still redirects.
https://mycompany.com/ - Hi jokragly,
What version of LTM are you running? Did you add the datagroup to your config?
-George - jokraglyWe ended up opening a support case with F5 and here is the iRule and data group syntax that we had to use.
when HTTP_REQUEST {
log local0. "path is [HTTP::path]"
set search_id [class startsearch blue_ACL]
while { [class anymore blue_ACL $search_id] } {
nextelement returns an array with two elements (for a string class, we just care about the first element)
set elem [class nextelement blue_ACL $search_id]
set elem [lindex $elem 0]
log local0. "elem is $elem"
if { [string tolower [HTTP::path]] matches_regex $elem } {
log local0. "$elem matched !"
return
}
}
HTTP::respond 200 content "PERMISSION DENIED TO: [HTTP::uri]"
}
The trick is that your datagroup (blue_ACL) strings need to be entered using REGEX notation. ( You will need to start each string with a "^" and for the / path (root), you need to enter "^/$".
^/$ (the $ means "end of string")
^/Dealer
^/Help
^/Image
^/Login
^/User
You also need to enter all the strings in lower case because of the " tolower" command, if they are upper case they won't match.
I appreciate everyones help but I just wanted to update the forum with what worked for us. - Glad to hear you got it working. Thanks for posting your solution.
Cheers,
-George 
hoolioCirrostratus
That could be horribly inefficient to loop through a datagroup and run a regex operation on each element. I'd go back to George and Chris' examples using a datagroup and the iRule which uses starts_with. Make sure to remove the $:: prefix from the datagroup name in the iRule as that won't work in 10.x.class mycompany_allowed_urls { { "/dealer/" "/help/" "/image/" "/login/" "/user/" } }when HTTP_REQUEST { if { ![class match [string tolower [HTTP::uri]] starts_with blue] } { HTTP::redirect "http://www.google.com/" } }
I'm not sure whether the web app is case sensitive or not, so I set the URI and the datagroup entries to lower case.
Aaron
