Forum Discussion
Irule to block specific users from login to back office system
Hi guys, i need your help to fine tune my Irule script i need to catch the username ( convert it to lower case ) and than match it to the data group list. if its not exist on the DataGroup list, send 403. so basically is a post method only and the uri always come with /login the payload is form data that contains the username and the password as you see at the form data my irule looks like this:
Code
when CLIENT_ACCEPTED {
log local0. "[IP::client_addr]: HTTP Client Connected"
}
when HTTP_REQUEST {
if {([string tolower [HTTP::uri]] ends_with "login") and ([HTTP::method] eq "POST")} {
Trigger collection for up to 1MB of data
if {[HTTP::header "Content-Length"] ne "" && [HTTP::header "Content-Length"] <= 1048576} {
set content_length [HTTP::header "Content-Length"]
} else {
set content_length 1048576
}
Check if $content_length is not set to 0
if { $content_length > 0} {
HTTP::collect $content_length
}
}
}
when HTTP_REQUEST_DATA {
set username [lindex [split [string tolower [HTTP::payload]] "\""] 3]
log local0. "Split payload and take username"
if { [class match $username equals BOAgentName] } {
log local0. "username matches data-group and this connection will be rejected"
log local0. "BoAgent Blocked. Agent=$username and Source IP=[IP::client_addr],"
HTTP::respond 403
} else {
log local0. "BoAgent Allowed"
}
}
but its not working for me.. 😞
To get username, use this command
set username [URI::query ?[HTTP::payload]] username]
- RicoCirrus
It seems like the error is in your username assignment. It doesn't seem to be getting the username properly, at least when I tested it. I wrote this segment of code to grab the value of whatever comes after 'username=' in a urlencoded post.
log local0. "Payload: [HTTP::payload]" set payload [string range [HTTP::payload] [string first username [HTTP::payload]] [string length [HTTP::payload]]] set findex [string first = $payload] set lindex [string first & $payload] if {$lindex eq -1} { set lindex [string length $payload] incr lindex } log local0. "Modified Payload: $payload" set username [string range $payload [incr findex 1] [incr lindex -1]]
I added in some error handling in case the username value was in different places in the payload. Hopefully, this will solve your problem if you replace your username variable assignment with it.
If you have any more questions, I am sure I can help.
- Stanislas_Piro2Cumulonimbus
To get username, use this command
set username [URI::query ?[HTTP::payload]] username]
- YossiVNimbostratus
thanks issue resolved
- PrudhviMNimbostratus
is it possible to block a group of users with particular attribute value after getting 200 o.k connection using irule
- PrudhviMNimbostratus
is it possible to block a group of users with particular attribute value after getting 200 o.k connection using irule
Like
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com