Forum Discussion

BMeyering_10972's avatar
BMeyering_10972
Icon for Nimbostratus rankNimbostratus
Aug 14, 2012

irule to block file types from extenal client IP

Hi,We are attempting to create a irule to block external users from downloading sharepoint files.

 

 

Extenal user are connecting via external F5 v11.1 running APM/LTM. Access policy connects to an Internal F5 running 10.2 which is LB for sharepoint farm. External user traffic is SNAT'd behind static SNAT address. This is want we came up with but ... we get a error parsing the irules.

 

 

 

line 2: [parse error: PARSE syntax 62 {syntax error in expression " [IP::client_addr] equals x.x.x.166 and [HTTP::host] strin...": extra tokens at end of expression}] [{ [IP::client_addr] equals x.x.x.166 and [HTTP::host] string tolower contains "devintdocs" {

 

line 22: [undefined procedure: else

 

 

when HTTP_REQUEST {

 

if { [IP::client_addr] equals x.x.x.166 and [HTTP::host] string tolower contains "devintdocs" {

 

switch -glob string tolower [HTTP::uri] {

 

"*.xls" -

 

"*.xlsx" -

 

"*.doc" -

 

"*.docx" -

 

"*.ppt" -

 

"*.pptx" }{

 

HTTP::respond 200 content {

 

 

 

Apology Page

 

 

 

We are sorry, but the document you are attempting to access is restricted by Corporate Policy. If you feel you have reached this page in error, please contact your supervisor.

 

 

 

}

 

}

 

}

 

} else {

 

switch -glob [HTTP::host] {

 

"devintportal" { pool sharepoint_devint_Pool1 }

 

"devintmy" { pool sharepoint_devint_Pool2 }

 

"devintdocs" { pool sharepoint_devint_Pool3 }

 

"devintteams" { pool sharepoint_devint_Pool4 }

 

"partners" { pool sharepoint_devint_Pool5 }

 

}

 

}

 

} line 2: [parse error: PARSE syntax 62 {syntax error in expression " [IP::client_addr] equals 1.206.1.166 and [HTTP::host] strin...": extra tokens at end of expression}] [{ [IP::client_addr] equals 1.206.1.166 and [HTTP::host] string tolower contains "devintdocs" {

 

line 22: [undefined procedure: else

 

when HTTP_REQUEST {

 

if { [IP::client_addr] equals 1.206.1.166 and [HTTP::host] string tolower contains "devintdocs" {

 

switch -glob string tolower [HTTP::uri] {

 

"*.xls" -

 

"*.xlsx" -

 

"*.doc" -

 

"*.docx" -

 

"*.ppt" -

 

"*.pptx" }{

 

HTTP::respond 200 content {

 

 

 

Apology Page

 

 

 

We are sorry, but the document you are attempting to access is restricted by Corporate Policy. If you feel you have reached this page in error, please contact your supervisor.

 

 

 

}

 

}

 

}

 

} else {

 

switch -glob [HTTP::host] {

 

"devintportal" { pool sharepoint_devint_Pool1 }

 

"devintmy" { pool sharepoint_devint_Pool2 }

 

"devintdocs" { pool sharepoint_devint_Pool3 }

 

"devintteams" { pool sharepoint_devint_Pool4 }

 

"partners" { pool sharepoint_devint_Pool5 }

 

}

 

}

 

}

 

  • Can you try this?

    
    when HTTP_REQUEST {
    if { [IP::addr [IP::client_addr] equals x.x.x.166] and [string tolower [HTTP::host]] contains "devintdocs" } {
    switch -glob [URI::decode [string tolower [HTTP::path]]] {
    "*.xls" -
    "*.xlsx" -
    "*.doc" -
    "*.docx" -
    "*.ppt" -
    "*.pptx" }{
    HTTP::respond 200 content {
    Apology Page
    We are sorry, but the document you are attempting to access is restricted by Corporate Policy. 
    If you feel you have reached this page in error, please contact your supervisor.
    }
    }
    } else {
    switch [HTTP::host] {
    "devintportal" { pool sharepoint_devint_Pool1 }
    "devintmy" { pool sharepoint_devint_Pool2 }
    "devintdocs" { pool sharepoint_devint_Pool3 }
    "devintteams" { pool sharepoint_devint_Pool4 }
    "partners" { pool sharepoint_devint_Pool5 }
    }
    }
    }
    

    You might also want to add a check to see if the host is null or an IP address to the first check. Also make sure to add a OneConnect profile to the virtual server as you're selecting a pool in some cases but not all.

    Aaron
  • Aaron-

     

     

    Awesome thanks, that looks like it will work. Any idea what kind of performance impact this might have on client requests? What would happen if the list of file types expanded to 50 or 100 entries?
  • If you have that many strings to check, I'd create a string data group (filetypes_dg in the example below) and replace the switch statements with a class match. Also as someone recently pointed out, if you're sending a 200 response with content you don't want cached or indexed you might want to set cache-control headers:

    
     From: https://devcentral.f5.com/wiki/iRules.class.ashx
    
    set match [class match -value -- [HTTP::path] ends_with filetypes_dg]
    if {$match eq ""}{
      HTTP::respond 200 content {
                        Apology Page
                        We are sorry, but the document you are attempting to access is restricted by Corporate Policy. 
                        If you feel you have reached this page in error, please contact your supervisor.
                } Pragma no-cache cache-control  no-cache
    }
    

    Aaron
  • Forgot to add that with a data group you shouldn't see much of a hit as the data group size grows. See Joe's article on this:

     

     

    Comparing iRule Control Statements

     

    https://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/1086424/Comparing-iRule-Control-Statements.aspx

     

     

    Aaron
  • AAron-

     

     

    Well finally got around to testing ths irule and it doesn't work. I added a log local0. entry in the irule and here is what i got.

     

    Rule sharepoint_devint_pool_block_filetype : IP x.x.x.166 Host devintdocs.xyccompany.com uri /Shared%20Documents/DocsSites.xlsx HTTP-path /Shared%20Documents/DocsSites.xlsx header-content

     

     

    I also addd a log local0. entry afgter the else to see if we are dropping through the if statement. Which confirmed we are not matching the if statement. Any ideas?
  • Aaron-

     

     

    Well finally got around to testing ths irule and it doesn't work. I added a log local0. entry in the irule and here is what i got.

     

    Rule sharepoint_devint_pool_block_filetype : IP x.x.x.166 Host devintdocs.xyccompany.com uri /Shared%20Documents/DocsSites.xlsx HTTP-path /Shared%20Documents/DocsSites.xlsx header-content

     

     

    I also addd a log local0. entry afgter the else to see if we are dropping through the if statement. Which confirmed we are not matching the if statement. Any ideas?
  • here is the test url as it appears from APM webtop...

     

    https://devportal.abccompany.com/f5-w-68747470733a2f2f646576696e74646f63732e636d73656e657267792e636f6d$$/Shared%20Documents/DocsSites.xlsx

     

     

    here is the current iRule

     

    when HTTP_REQUEST {

     

    log local0. "IP [IP::client_addr] Host [HTTP::host] uri [HTTP::uri] HTTP-path [HTTP::path] header-content [HTTP::header value Content-Type]"

     

    if { [IP::addr [IP::client_addr] equals x.x.x.166] and [string tolower [HTTP::host]] starts_with "devintdocs" } {

     

    [URI::decode [string tolower [HTTP::path]]] ends_with {

     

    ".xls" -

     

    ".xlsx" -

     

    ".doc" -

     

    ".docx" -

     

    ".ppt" -

     

    ".pptx" }{

     

    HTTP::respond 200 content {

     

    Apology Page

     

    We are sorry, but the document you are attempting to access is restricted by Corporate Policy.

     

    If you feel you have reached this page in error, please contact your supervisor.

     

    }

     

    }

     

    } else {

     

    log local0. "devint pool select"

     

    switch [HTTP::host] {

     

    "devintportal" { pool sharepoint_devint_Pool }

     

    "devintmy" { pool sharepoint_devint_Pool }

     

    "devintdocs" { pool sharepoint_devint_Pool }

     

    "devintteams" { pool sharepoint_devint_Pool }

     

    "partners" { pool sharepoint_devint_Pool }

     

    }

     

    }

     

    }