For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

jokragly's avatar
jokragly
Icon for Nimbostratus rankNimbostratus
Nov 03, 2010

iRule for URI ACL

Good afternoon. We are getting desperate trying to find a solution to allow specific URIs and deny all other traffic.     Basically what we are after is to allow access to 5 specific directorie...
application delivery
dev
devops
iRules
jokragly's avatar
jokragly
Icon for Nimbostratus rankNimbostratus
Nov 05, 2010
We ended up opening a support case with F5 and here is the iRule and data group syntax that we had to use.

 

 

when HTTP_REQUEST {

 

log local0. "path is [HTTP::path]"

 

set search_id [class startsearch blue_ACL]

 

while { [class anymore blue_ACL $search_id] } {

 

nextelement returns an array with two elements (for a string class, we just care about the first element)

 

set elem [class nextelement blue_ACL $search_id]

 

set elem [lindex $elem 0]

 

log local0. "elem is $elem"

 

if { [string tolower [HTTP::path]] matches_regex $elem } {

 

log local0. "$elem matched !"

 

return

 

}

 

}

 

 

HTTP::respond 200 content "PERMISSION DENIED TO: [HTTP::uri]"

 

}

 

 

The trick is that your datagroup (blue_ACL) strings need to be entered using REGEX notation. ( You will need to start each string with a "^" and for the / path (root), you need to enter "^/$".

 

^/$ (the $ means "end of string")

 

^/Dealer

 

^/Help

 

^/Image

 

^/Login

 

^/User

 

 

You also need to enter all the strings in lower case because of the " tolower" command, if they are upper case they won't match.

 

 

I appreciate everyones help but I just wanted to update the forum with what worked for us.