Forum Discussion
BMeyering_10972
Aug 14, 2012Nimbostratus
irule to block file types from extenal client IP
Hi,We are attempting to create a irule to block external users from downloading sharepoint files.
Extenal user are connecting via external F5 v11.1 running APM/LTM. Access policy connects to an Internal F5 running 10.2 which is LB for sharepoint farm. External user traffic is SNAT'd behind static SNAT address. This is want we came up with but ... we get a error parsing the irules.
line 2: [parse error: PARSE syntax 62 {syntax error in expression " [IP::client_addr] equals x.x.x.166 and [HTTP::host] strin...": extra tokens at end of expression}] [{ [IP::client_addr] equals x.x.x.166 and [HTTP::host] string tolower contains "devintdocs" {
line 22: [undefined procedure: else
when HTTP_REQUEST {
if { [IP::client_addr] equals x.x.x.166 and [HTTP::host] string tolower contains "devintdocs" {
switch -glob string tolower [HTTP::uri] {
"*.xls" -
"*.xlsx" -
"*.doc" -
"*.docx" -
"*.ppt" -
"*.pptx" }{
HTTP::respond 200 content {
Apology Page
We are sorry, but the document you are attempting to access is restricted by Corporate Policy. If you feel you have reached this page in error, please contact your supervisor.
}
}
}
} else {
switch -glob [HTTP::host] {
"devintportal" { pool sharepoint_devint_Pool1 }
"devintmy" { pool sharepoint_devint_Pool2 }
"devintdocs" { pool sharepoint_devint_Pool3 }
"devintteams" { pool sharepoint_devint_Pool4 }
"partners" { pool sharepoint_devint_Pool5 }
}
}
} line 2: [parse error: PARSE syntax 62 {syntax error in expression " [IP::client_addr] equals 1.206.1.166 and [HTTP::host] strin...": extra tokens at end of expression}] [{ [IP::client_addr] equals 1.206.1.166 and [HTTP::host] string tolower contains "devintdocs" {
line 22: [undefined procedure: else
when HTTP_REQUEST {
if { [IP::client_addr] equals 1.206.1.166 and [HTTP::host] string tolower contains "devintdocs" {
switch -glob string tolower [HTTP::uri] {
"*.xls" -
"*.xlsx" -
"*.doc" -
"*.docx" -
"*.ppt" -
"*.pptx" }{
HTTP::respond 200 content {
Apology Page
We are sorry, but the document you are attempting to access is restricted by Corporate Policy. If you feel you have reached this page in error, please contact your supervisor.
}
}
}
} else {
switch -glob [HTTP::host] {
"devintportal" { pool sharepoint_devint_Pool1 }
"devintmy" { pool sharepoint_devint_Pool2 }
"devintdocs" { pool sharepoint_devint_Pool3 }
"devintteams" { pool sharepoint_devint_Pool4 }
"partners" { pool sharepoint_devint_Pool5 }
}
}
}
- hoolioCirrostratusCan you try this?
when HTTP_REQUEST { if { [IP::addr [IP::client_addr] equals x.x.x.166] and [string tolower [HTTP::host]] contains "devintdocs" } { switch -glob [URI::decode [string tolower [HTTP::path]]] { "*.xls" - "*.xlsx" - "*.doc" - "*.docx" - "*.ppt" - "*.pptx" }{ HTTP::respond 200 content { Apology Page We are sorry, but the document you are attempting to access is restricted by Corporate Policy. If you feel you have reached this page in error, please contact your supervisor. } } } else { switch [HTTP::host] { "devintportal" { pool sharepoint_devint_Pool1 } "devintmy" { pool sharepoint_devint_Pool2 } "devintdocs" { pool sharepoint_devint_Pool3 } "devintteams" { pool sharepoint_devint_Pool4 } "partners" { pool sharepoint_devint_Pool5 } } } }
- BMeyering_10972NimbostratusAaron-
- hoolioCirrostratusIf you have that many strings to check, I'd create a string data group (filetypes_dg in the example below) and replace the switch statements with a class match. Also as someone recently pointed out, if you're sending a 200 response with content you don't want cached or indexed you might want to set cache-control headers:
From: https://devcentral.f5.com/wiki/iRules.class.ashx set match [class match -value -- [HTTP::path] ends_with filetypes_dg] if {$match eq ""}{ HTTP::respond 200 content { Apology Page We are sorry, but the document you are attempting to access is restricted by Corporate Policy. If you feel you have reached this page in error, please contact your supervisor. } Pragma no-cache cache-control no-cache }
- hoolioCirrostratusForgot to add that with a data group you shouldn't see much of a hit as the data group size grows. See Joe's article on this:
- BMeyering_10972NimbostratusAAron-
- BMeyering_10972NimbostratusAaron-
- nitassEmployeecan you post the current irule and test url?
- BMeyering_10972Nimbostratushere is the test url as it appears from APM webtop...
Recent Discussions
Related Content
Â
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects