Forum Discussion
spacecc
Altostratus
AltostratusiRule http host with wildcard domain
Hi, I want to ask a question. I want to limit the http::host wildcard domain in iRule. Allow *.domain.com, but disallow *.*.domain.com. Such as if http::host is a.aaa.com or b.aaa.com, then go on. If http::host is a.b.domain.com or or b.c.d.domain.com, then drop. How could I do that?
Thanks for all the advice. I have solved it.
when HTTP_REQUEST {
switch -regexp [HTTP::host] {
"^[a-zA-Z0-9_-]+\.domain.com" { }
default { drop }
}
}This irule works. Thanks all.
spaceccThanks for all the advice. I have solved it.
when HTTP_REQUEST {
switch -regexp [HTTP::host] {
"^[a-zA-Z0-9_-]+\.domain.com" { }
default { drop }
}
}This irule works. Thanks all.
- zamroni777
Nacreous
because there is only 1 condition, using "if else" is more efficient than "switch"
- Aswin_mk
Cumulonimbus
Hello, Can you follow below expample.
when HTTP_REQUEST {
if { ([HTTP::host] == "www.example.com") } {
# Do nothing, meaning permit request
} elseif { ([HTTP::host] == "web.example.com") } {
# Do nothing, meaning permit request
} elseif { ([HTTP::host] == "access.example.com") } {
# Do nothing, meaning permit request
} else {
# If the host header does not contain any of the previously matching values then reject the request
reject
}
}- spacecc
Hello, sir. Thanks for reply. In fact, I have hundreds of domain names which I cannot list them all. Like www, oa, web, web2 and so on. There are too many I cannot put in a data group. I just want to allow *.example.com and disallow *.*.example.com. Using a wildcard domain. Is there a way?
- Paulius
MVP
How many FQDNs do you have to match? The reason I ask is because a data-group match is the best way to achieve this, and I believe data-groups support 10 million entries and you stated hundreds of domains and not millions. You can easily format some text to the appropriate format and paste in the data-group in the CLI to create the data-group quickly. First, the following is an example of the data-group which you would paste in and follow the on screen message that comes up after you run the following command. Please keep in mind that this is a very powerful command so be sure you aren't using any existing configuration that you want to keep and that it's formatted properly before saving after you paste in the text.
load sys config from-terminal merge
This next piece is the text you would paste in for the data-group, with your correct FQDNs of course. If for some reason the formatting isn't correct for your code version on your F5 you can always create the data-group with 2 entries from the GUI, go to the CLI and list out the data-group, grab that and add all your entries, delete the data-group in the GUI, and then finally run the command I listed above with your class text and it should work.
class CLASS-hackit.com { "fqdn1.hackit.com" "fqdn2.hackit.com" "fqdn3.hackit.com" }Next you will use the following iRule to direct your traffic accordingly, this is assuming the pool that is associated to the virtual server is the pool that you want to direct traffic to.
when CLIENT_ACCEPTED priority 500 { set DEFAULT_POOL [LB::server pool] } when HTTP_REQUEST priority 500 { if {[class match -- [HTTP::host] equals CLASS-hackit.com]}{ pool ${DEFAULT_POOL} } else { reject } }
- Aswin_mk
For wild card we could use an equivalent string function: I just writing a rule, you can test it. if its not worked use pool as well
when HTTP_REQUEST {
if { [string match "example*.domain.com" [string tolower [HTTP::host]]] } {
}
else {
reject
}
}
- spacecc
Thanks for reply, sir. Please check this.
My irule is:
when HTTP_REQUEST {
if { [string match "*.hackit.com" [string tolower [HTTP::host]]] } {
log local0. "Host is [HTTP::host]"
} else {
reject
}
}Check the log:
<HTTP_REQUEST>: Host is www.gslb.hackit.com
The irule didn't work. My goal is if I access *.hackit.com, it passes. When I access *.*.hackit.com, it rejects.
