Forum Discussion

LyonsG_85618's avatar
LyonsG_85618
Icon for Cirrostratus rankCirrostratus
Dec 06, 2012

IRULE to block URI after a specific date

I have been asked to create VIP to route traffic through to a test web server.

 

What the customer want is a test URI that has an expiry date. The date will then be verified aganist the current date and if it has expired they customer will receive a 404 page.

 

My thinking was that I will use an external class file:

 

"/123456789/validuri" := "12202012"

 

If today's date is December 6th 2012 IRULE will validate this against expiry and flag it as OK.

 

IRULE will then strip /123456789 and pass traffic to webserver as /validuri.

 

If today's date is December 25th 2012 this would should as expired and customer would receive a 404 page?

 

Has anyone seen anything like this?

 

I have had a look in forums but couldn't find a match anywhere.

 

Is this even possible?

 

 

Thanks in advance!

 

  • Hi Graham,

     

     

    This should be doable, but keep in mind that the logic of the iRule could be bypassed:

     

    http://devcentral.f5.com/Default.aspx?tabid=53&view=topic&postid=30900&ptarget=30901

     

     

    Basically, you could use [class match -value [HTTP::uri] starts_with uri_to_date_dg] to get the "expire date" and then check if the current date ([clock format [clock seconds] -format "%d%m%Y ) is earlier.

     

     

    https://devcentral.f5.com/wiki/iRules.class.ashx

     

    http://www.tcl.tk/man/tcl8.4/TclCmd/clock.htm

     

     

    Aaron
  • Thanks Aaron

     

     

    I am going to give this a bash today and see how I get on.

     

     

    Regards

     

  • I have managed to get the date check working and now 'expired' hosts get sent to a notfound page:

     

    when HTTP_REQUEST {

     

     

    set debug 1

     

    set datecheck CLASS_DATE_CHECK

     

    set today [clock format [clock seconds] -format {%Y%m%d} ]

     

    set expiry_date [class match -value [string tolower [HTTP::uri]] starts_with $datecheck]

     

    set uriexpired 0

     

     

    if {($expiry_date < $today)} {

     

    set uriexpired 1

     

    }

     

     

     

    if {($uriexpired equals "1") and ([HTTP::uri] equals [class match -name [string tolower [HTTP::uri]] starts_with $datecheck])} {

     

    if {$debug > 0} {

     

    log local0. "uri=[HTTP::uri] and Classmatch=[class match -name [string tolower [HTTP::uri]] starts_with $datecheck]"

     

    }

     

    HTTP::respond 302 noserver Location "http://www.test.com/notfound"

     

     

     

    Still looking at the URI part though. My customer wants to publish a random string before the actual 'real' uri.

     

     

    i.e. http://www.test.com/123456789/testsite1

     

     

    I need to remove the /123456789 before passing to pool and then add it back in before responding to clients.

     

    As the string will be randomly generated I cannot use a string replace.

     

    I was looking at stream profile's too but not sure which option would work best?

     

    Any thoughts?

     

  • I need to remove the /123456789 before passing to pool and then add it back in before responding to clients. can we strip off random string using "scan" command and set new uri using "HTTP::uri" command? i do not think we need to put random string back because HTTP::uri does not change uri in browser.

    % set uri "/123456789/testsite1"
    /123456789/testsite1
    % scan $uri {/%*[^/]%s} real
    1
    % put $real
    /testsite1
    

    HTTP::uri wiki

    https://devcentral.f5.com/wiki/iRules.HTTP__uri.ashx

    hope this helps.
  • Nitass - thanks for response.

     

     

    Not sure I follow this though ?

     

    % set uri "/123456789/testsite1"

     

    /123456789/testsite1

     

    % scan $uri {/%*[^/]%s} real

     

    1

     

    % put $real

     

    /testsite1

     

     

    I was looking at doing this

     

     

    if {[HTTP::uri] starts_with "/xxl"} {

     

    HTTP::uri [string range [HTTP::uri] 9 end]

     

     

    Which would mean they would need to start their random string withh xx and IRULE would strip off the characters.

     

     

    I could then add this back in under HTTP response?

     

     

     

     

  • Arie's avatar
    Arie
    Icon for Altostratus rankAltostratus

    I noticed that you're using a 302 to send people to the Not Found page:

     

    HTTP::respond 302 noserver Location "http://www.test.com/notfound"

     

    Depending on how that page is handled you may be sending a 200 OK instead of a 404 (or 410), which can cause all kinds of issues (e.g. monitoring, SEO).

     

    Also, if the URL will never be used again you'll want to use a 301 instead of a 302.

     

     

     

  • Thanks Arie

     

     

    We use the 302/Notfound on a lot of our sites and I am not aware of any issues.

     

    Also - the URL depnds on what they have entered so it's not guaranteed to be a 301.

     

     

    Regards

     

     

    Graham

     

  • I could then add this back in under HTTP response? i do not think you have to add random string back in response because response does not contain uri.

    e.g.

    [root@ve10:Active] config  curl -I http://173.194.38.151 -H "Host: www.google.com.sg"
    HTTP/1.1 200 OK
    Date: Sat, 26 Jan 2013 05:36:46 GMT
    Expires: -1
    Cache-Control: private, max-age=0
    Content-Type: text/html; charset=ISO-8859-1
    Set-Cookie: PREF=ID=626f6a4a1383b4d0:FF=0:TM=1359178606:LM=1359178606:S=HiBcK-bkAGzoSgye; expires=Mon, 26-Jan-2015 05:36:46 GMT; path=/; domain=.google.com.sg
    Set-Cookie: NID=67=PQ8Uh28-eIqGM8pHjg7epoVjKgqvs8OGq4gYUr1-rFpuOIwN2nGWBy72iIpF2nqlEu51v6KDfWHnlKl2bDeAhyQsSllHNjHlvMf972l8ho46SU8rBcZFlSqXRpkSdfm6; expires=Sun, 28-Jul-2013 05:36:46 GMT; path=/; domain=.google.com.sg; HttpOnly
    P3P: CP="This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."
    Server: gws
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: SAMEORIGIN
    Transfer-Encoding: chunked