Forum Discussion

craddockchris's avatar
craddockchris
Icon for Altostratus rankAltostratus
May 16, 2024
Solved

iRule interpretation assistance

Hi Dev Central. I need some assistance interpreting the following iRule, especially the first line. My interpretation is that if the HTTP path contains any of the following: /, /index.jsp, /startpage, /sap/admin, /sap/admin* AND the client IP address is NOT in the All-Internal_dg Data Group List, then the request is REJECTED. Is this correct?

What is bothering me is the very first line with the "/". This would mean that any path would be rejected if the request isnt coming from an IP in the All-Internal_dg Data Group List right? I ask because this service is still accessible from IPs that are not in the All-Internal_dg Data Group List. So I am wondering how some paths are still working for clients that are not in the All-Internal_dg Data Group.

 

Thanks for any help you can lend. 

 

switch -glob [HTTP::path]  {

    "/" {
      # log 10.x.x.58 local0. "In root client ip is [IP::client_addr]"
      if { not [matchclass [IP::client_addr] equals All-Internal_dg] } {
        reject
      }
      HTTP::redirect https://[getfield [HTTP::host] ":" 1 ]/startPage
    }

    "/index.jsp" {
      # log 10..x.x.58 local0. "In index.jsp client ip is [IP::client_addr]"
      if { not [matchclass [IP::client_addr] equals All-Internal_dg] } {
        reject
      }
      HTTP::redirect https://[getfield [HTTP::host] ":" 1 ]/startPage
    }

    "/startpage" {
      # log 10.x.x.58 local0. "In startpage client ip is [IP::client_addr]"
      if { not [matchclass [IP::client_addr] equals All-Internal_dg] } {
        reject
      }
    }

    "/sap/admin" {
      # log 10..x.x.58 local0. "In sap admin client ip is [IP::client_addr]"
      if { not [matchclass [IP::client_addr] equals All-Internal_dg] } {
        reject
      }
      HTTP::redirect https://[getfield [HTTP::host] ":" 1 ]/sap/admin/public/default.html
    }

    "/sap/admin*" {
      # log 10..x.x.58 local0. "Deep in sap admin client ip is [IP::client_addr]"
      if { not [matchclass [IP::client_addr] equals All-Internal_dg] } {
        reject
      }
    }
    default {
      # log 10..x.x.58 local0. "Something hit the default switch client ip is [IP::client_addr]"
    }
  }
}

 

 

  • zamroni777's avatar
    zamroni777
    May 16, 2024

    yes,

    "https://mysite.com/" will be evaluated for "/" case, so the client ip addres will be evaluated againts All-Internal_dg.

    "https://mysite.com/abc" will got to default case.

     

6 Replies

  • except the "/sap/admin*", all other switch cases are exact matching.
    so requests such as "/abc" or "/startpage/dfgh" will get the default case and doesnt get rejected.

    • craddockchris's avatar
      craddockchris
      Icon for Altostratus rankAltostratus

      Thank you! What of the lone "/" entry? Does that mean something like "https://mysite.com/" would get blocked but "https://mysite.com/abc" wouldnt? 

      • zamroni777's avatar
        zamroni777
        Icon for Cumulonimbus rankCumulonimbus

        yes,

        "https://mysite.com/" will be evaluated for "/" case, so the client ip addres will be evaluated againts All-Internal_dg.

        "https://mysite.com/abc" will got to default case.

         

  • You now have a rule that always has an explicit allow at the end is that something you want?

    • craddockchris's avatar
      craddockchris
      Icon for Altostratus rankAltostratus

      Now that I understand the iRule better, it looks like the intention was to restrict access to certain resources on the website to internal IP addresses only while allowing access to other resources. I believe it is working as intended. 

  • Thank you everyone for your help! I have a better understanding of the iRule now!