For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Michael_A__Fied's avatar
Michael_A__Fied
Icon for Nimbostratus rankNimbostratus
May 21, 2010

iRule using URI classes to restrict access

(version 9.4.7) I have been restricting access to certain pools via the following iRule statement: 

if { [matchclass [IP::client_addr] equals $::TrustedIPs] and [matchclass [HTTP::path] starts_with $::SomeURIs] } {
pool secure_pool
return
}
else { 
pool public_pool
return
}
The SomeURIs class contains elements like "/foo" and "/bar". It seems like when I use a double slash, i.e. "http://myvirtualip//foo" the iRule statement doesn't come into effect. Thoughts, considerations?
application delivery
dev
devops
iRules

4 Replies

  • Michael_A__Fied's avatar
    Michael_A__Fied
    Icon for Nimbostratus rankNimbostratus
    May 24, 2010
    Posted By Michael Yates on 05/21/2010 03:04 PM

    The [HTTP::path] starts at the first "/" so you will either have to account for it in your matchclass or add to your iRule to look for it and remove it. 

    HTTP::uri [string map {"//" "/"} [HTTP::uri]]

    Wiki Entry for [HTTP::path] - http://devcentral.f5.com/wiki/default.aspx/iRules/http__path.html

    Awesome, thanks, I'll test that later.

    Is there any major advantage to performing the string map replace on the HTTP::uri vs the HTTP:path? We use extensive URIs and probably don't need to evaluate all the params in them.
  • Michael_A__Fied's avatar
    Michael_A__Fied
    Icon for Nimbostratus rankNimbostratus
    May 24, 2010
    Even more importantly, what about replacing any amount of slashes with a single one? How can I string map look for a series of slashes and replace them with only one?
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    May 24, 2010
    string map can't recursively perform substitutions:

     

     

     

    http://www.tcl.tk/man/tcl8.4/TclCmd/string.htmM34

     

     

    string is only iterated over once, so earlier key replacements will have no affect for later key matches.

     

     

     

    You could either loop string map while there aren't instances of // or you could use regsub to search for //+ and replace it with /. However, if you're trying to handle obfuscation techniques, there are many more to account for than multiple forward slashes. As you're whitelisting based on IP address, obfuscation attempts might not be so much of a concern though. See these recent posts for more examples:

     

     

    irule based on ip and url

     

    http://devcentral.f5.com/Forums/tabid/1082223/asg/50/showtab/groupforums/aff/5/aft/1171094/afv/topic/Default.aspx1171131

     

     

    http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&tpage=1&view=topic&postid=3090031324

     

     

    Aaron