For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

jokragly's avatar
jokragly
Icon for Nimbostratus rankNimbostratus
Nov 03, 2010

iRule for URI ACL

Good afternoon. We are getting desperate trying to find a solution to allow specific URIs and deny all other traffic.

 

 

Basically what we are after is to allow access to 5 specific directories and the things within those directories but if someone tries to go to a URI that is not allowed then they get a denied message from the F5 with the URI path that is denied.

 

 

mycompany.com/Login/*

 

mycompany.com/Dealer/*

 

mycompany.com/Image/*

 

mycompany.com/User/*

 

mycompany.com/Help/*

 

 

Should this be done in an iRule? If so how? Is it possible to do this as an http class or data group with match only? I can list the URI Strings in a http class and assign that class to the Virtual Server but an invalid page is response is coming from the web server not the F5 deny because it doesn't match our allowed paths in the http class we created.

 

 

Any and all help would be greatly appreciated.

 

 

Thanks,

 

Jeff
application delivery
dev
devops
iRules

18 Replies

Show More
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Nov 05, 2010
    Note, if that doesn't work for your scenario, try adding logging of the requested URI and then when an "invalid" request is redirected. This should help you identify what's failing.

     

     

    Aaron
  • Chris_Miller's avatar
    Chris_Miller
    Icon for Altostratus rankAltostratus
    Nov 05, 2010
    Absolutely agree with Aaron's comment about inefficiency...am somewhat surprised they recommended something like that for such a straight-forward task.
  • jokragly's avatar
    jokragly
    Icon for Nimbostratus rankNimbostratus
    Nov 05, 2010
    Thanks again for the help. I did notice the site was much slower to load.

     

     

    The issue we are having is the site landing page is http://mycompany.com/

     

     

    I have no way to defince / without giving access to everything after it. I have this working on a test site that I just put up that has a different landing page (http://mycompany.com/en-us and all seems to be working ok.

     

     

    there is only one string in the SplunkTest data group for /en-us but the site and rule work as expected. Anyone have any ideas how to allow the root?

     

     

    when HTTP_REQUEST {

     

    if { ![class match [string tolower [HTTP::uri]] starts_with SplunkTest] } {

     

    HTTP::respond 200 content "ErrorPERMISSION DENIED TO: [HTTP::uri]"

     

    }

     

    }

     

     

    I look forward to hearing back from you

     

    Jeff
  • Chris_Miller's avatar
    Chris_Miller
    Icon for Altostratus rankAltostratus
    Nov 05, 2010
    You can use "starts_with", "ends_with", and "eq". Perhaps using a data group for starts_with and just specify the URI "/" for eq.
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Nov 07, 2010
    I think this is what Chris was suggesting: 

    
when HTTP_REQUEST {

   if { ! ([class match [string tolower [HTTP::uri]] starts_with SplunkTest] or [HTTP::uri] eq "/") } {
      HTTP::respond 200 content "PERMISSION DENIED TO: [HTTP::uri]"
   }
}

    You might also want to decode the URI using URI::decode to minimize the chance someone can bypass the iRule logic:

    http://devcentral.f5.com/wiki/default.aspx/iRules/FullyDecodeURI.html

    Aaron
  • jokragly's avatar
    jokragly
    Icon for Nimbostratus rankNimbostratus
    Nov 08, 2010
    Aaron thank you for the correct coding, although the

     

    [HTTP::uri] eq "/")

     

    is still being blocked. This is the issue we initially were running into, not being able to allow the "/". Once we get over this hurdle of allowing the root "/" I think we are golden. The datagroup call seems to be working perfectly.

     

     

    We are running BIG-IP 10.2.0 Build 1707.0
  • Chris_Miller's avatar
    Chris_Miller
    Icon for Altostratus rankAltostratus
    Nov 08, 2010
    Posted By jokragly on 11/08/2010 07:43 AM

    Aaron thank you for the correct coding, although the

    [HTTP::uri] eq "/")

    is still being blocked. This is the issue we initially were running into, not being able to allow the "/". Once we get over this hurdle of allowing the root "/" I think we are golden. The datagroup call seems to be working perfectly.

    We are running BIG-IP 10.2.0 Build 1707.0

    I seem to have misunderstood your requirements. Here you go:

    when HTTP_REQUEST {

   if { ![class match [string tolower [HTTP::uri]] starts_with SplunkTest] or [HTTP::uri] ne "/" } {
      HTTP::respond 200 content "PERMISSION DENIED TO: [HTTP::uri]"
   }
}
    Let me know if that doesn't work.

  • jokragly's avatar
    jokragly
    Icon for Nimbostratus rankNimbostratus
    Nov 08, 2010
    Ok, we finally got it work the way we wanted.

     

     

    We had to make it an and because of the negative logic we were working with.

     

    when HTTP_REQUEST {

     

     

    if {![class match [string tolower [HTTP::uri]] starts_with SplunkTest] and [HTTP::uri] ne "/" } {

     

    HTTP::respond 200 content "TEST PERMISSION DENIED TO: [HTTP::uri] "

     

    }

     

    }

     

     

     

    Once we figured out the solution we changed the logic to make it easier to a positive with the following

     

     

    when HTTP_REQUEST {

     

     

    if {[class match [string tolower [HTTP::uri]] starts_with SplunkTest] or [HTTP::uri] eq "/" }{

     

    return

     

    } else {

     

    HTTP::respond 200 content "TEST 13 PERMISSION DENIED TO: [HTTP::uri] "

     

    }

     

    }

     

     

    All is now functioning correctly and the site loads at speeds that are normal.

     

     

    Thanks again for everyones help. DevCentral is so very valuable to the F5 solutions.

     

     

    Jeff