Forum Discussion
Nimbostratusirule question - restricted url wild card
I want to be able to create an irule that allows only certain ip addresses to a url, and every other ip gets re-directed to the home page. I have a rule that works the way I want it to, however, the applications team is having the users input a string after the path.
So instead of the user just going to "/web/verificationService" they are actually going to "/web/verificationService?enrollmentId=123&individualId=1372823&lastName=Diaz for example. Each string after the /web/verificationService is unique, so I was thinking of a wild card.
What I tried was set restricted_url "/yesnm/verificationService*", but I don;t think F5 recognizes the * as a wildcard, as when I test, the re-direction to the home page no longer occurs for IPs not in the irule.
Is there a way to tweak my full irule below without having to get rid of the entire rule and re-write from the beginning? Thanks
when HTTP_REQUEST {
Base URL for filter
set restricted_url "/web/verificationService" set redirected_url "/web"
Get the source IP.
set source_IP [IP::remote_addr]
If the request includes the restricted_url...
if { ([HTTP::uri] contains "$restricted_url") } { Compare the the source IP against a list of internal IP addresses. if {[IP::addr $source_IP equals 10.57.32.0/255.255.255.0 ] or [IP::addr $source_IP equals 10.62.62.18/255.255.255.255 ] or [IP::addr $source_IP equals 10.57.30.0/255.255.255.0 ]} { The source IP is internal. Allow the request. log local0. "Access to $restricted_url allowed. Source IP: $source_IP" } else { The source IP is not internal. Redirect the request. log local0. "Access to $restricted_url redirected. Source IP: $source_IP" HTTP::redirect "https://[getfield [HTTP::host] ":" 1]$redirected_url" } } }
when HTTP_REQUEST {
2 Replies
OTS02Cirrus
I have used the text string
.*?
as wildcard in stream expressions, and I think that is simply TCL syntax, so you might give .*? a try
- Kai_Wilke
MVP
Hi Chris,
- the "contains" operator is acutally a "/web/verificationService" wildcard.
- the "starts_with" operator is acutally a "/web/verificationService*" wildcard.
- the "ends_with" operator is acutally a "*/web/verificationService" wildcard.
- the "equals" operator doesn't include any wildcards.
So you may want to change your code to use the "starts_with" operator to optimize accuracy and also performance.
when HTTP_REQUEST { Base URL for filter set restricted_url "/web/verificationService" set redirected_url "/web" Get the source IP. set source_IP [IP::remote_addr] If the request includes the restricted_url... if { ([HTTP::uri] starts_with "$restricted_url") } { Compare the the source IP against a list of internal IP addresses. if { [IP::addr $source_IP equals 10.57.32.0/255.255.255.0] or [IP::addr $source_IP equals 10.62.62.18/255.255.255.255] or [IP::addr $source_IP equals 10.57.30.0/255.255.255.0] } { The source IP is internal. Allow the request. log local0. "Access to $restricted_url allowed. Source IP: $source_IP" } else { The source IP is not internal. Redirect the request. log local0. "Access to $restricted_url redirected. Source IP: $source_IP" HTTP::redirect "https://[getfield [HTTP::host] ":" 1]$redirected_url" } } }Cheers, Kai
