Forum Discussion

Saidur900's avatar
Saidur900
Icon for Nimbostratus rankNimbostratus
Aug 27, 2023

IRULE to restrict a specific url after initiated first session

Dear All I need help to make an irule for a reason. A and B both are clients. A is initiated a session from his device. A has an API result with some information with "xxx.com/api/info". After gett...
application delivery
iRules
security
Mohamed_Ahmed_Kansoh's avatar
Mohamed_Ahmed_Kansoh
Icon for MVP rankMVP

Hi Saidur900 , 
no worries about changing in URI as you can use "starts_with" or "contains" operators if your uri not static. 

So now your requirement is , 
you need only one connection in bigip to access this URI and anyother connection requests this uri should be dropped regardless Client A or B , you only need this URI to be accessed onetime for only exclusive connection through bigip , and if this connection fininshed or timeout , it's allowed for any client to access it. 
So one connection to this URL at a time ? 

Saidur900's avatar
Saidur900
Icon for Nimbostratus rankNimbostratus
Aug 27, 2023

Hi Kanosh

Yes, single connection to this url at a time. This url contains sensitive information, so need a solution. I dont understand where to start.

  • Mohamed_Ahmed_Kansoh's avatar
    Mohamed_Ahmed_Kansoh
    Icon for MVP rankMVP
    Aug 27, 2023

    Hi Saidur900 , 
    I believe that you can do that using " Table " irule with setting a connection limit to 1 connection. 
    and put the condition to be the url instead of client Ip address. 

    use this Article as a starting point  : https://community.f5.com/t5/technical-forum/connection-limit-for-a-uri-path/td-p/223207

    >>>>>>
    so briefly >> I think your requirement will be met by settingtwo conditions (  connection limit equal 1 and uri contains "/api/info/" ) 
    Of course it will need much testing , I don't have your deployment to test it and it may take much time. 

    I will mention Mr. JRahm he may give us clues as he is very experienced with irules specially complex ones. 

    • JRahm's avatar
      JRahm
      Icon for Admin rankAdmin
      Aug 28, 2023

      Hi Saidur900, not tested, but to give an idea, you can use the table command to add a key of your random string to the session table, and then upon any other request, if the key is there, the connection will be dropped. I have an indefinite timer here, but the more random strings you have, the larger your memory footprint will grow over time, so be careful unless you're going to flush the table on occassion. I'd recommend a timeout far less, or at least have an automated process to flush the table. But...it's possible. Again, the code is untested, but should get you started. Note that this assumes the HTTP::path ends with your random string. If not, it will need to be adjusted.

      when HTTP_REQUEST priority 500 {
    ### Assumes the random string completes the HTTP path! ###
    if {[string match "/api/info/ms*" [HTTP::path]]} {
        set key [string range $uri 13 end]
        if {[table lookup -- -subtable api_paths $key] != ""} {
            drop
        } else {
            table set -- -subtable api_paths $key 1 indefinite
        }
    }
}