For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Torsten_Heß_937's avatar
Torsten_Heß_937
Icon for Nimbostratus rankNimbostratus
May 03, 2005

Matchclass HTTP::HOST

Hello,

I have problem concerning the following rule. I tried to migrate a 4.x rule to a 9.5 rule an it failed. The rule is accepted but didn´t work.

The 4.x rule looks like: 

 
 if (http_host == one of test-DE-Domain) { 
    use pool Test-pool 
 else { 
    log "Attack: " + client_addr + " -> " + http_host + http_uri 
    discard 
 } 
 }

The 9.x should look like:

i defined a class

class test-DE-Domain {

"www.test"

"www.test1"

}

a pool

pool Test-Pool {

monitor all tcp

member 10.10.10.1:80

member 10.10.10.2:80

}

and the rule 

 
 when HTTP_REQUEST { 
    if {  [matchclass [HTTP::host] equals $::test-DE-Domain] } { 
       use pool Test-Pool 
       log "[HTTP::uri]" 
    } else { 
       log local "Failed" 
    } 
 }

What´s wrong with the rule

Thanks!

application delivery
dev
devops
iRules

2 Replies

  • Colin_Walker_12's avatar
    Colin_Walker_12
    Historic F5 Account
    May 18, 2005
    First of all, without further information as to how things are actually behaving and failing, I can't be certain of the cause of the problem.

    However, it appears as though you're using a matchclass statement when attempting to match only part of a string. As has been discussed, the matchclass function will match against an exact string. To search for only part of a string, you’ll want to use “contains”, instead of “equals” in conjunction with the matchclass function.

    In your example, you define this class:

    class test-DE-Domain {

    "www.test"

    "www.test1"

    }

    And then search for the host like this:

    if { [matchclass [HTTP::host] equals $::test-DE-Domain] } {

    What this is saying, is that if the host is exactly "www.test" or "www.test1", it will match. This does not account for a domain extension. So, while "www.test" matches, "www.test.com" does not. This holds true for any extension added to "www.test" or "www.test1" to make them viable, fully qualified domain names.

    So, unless you're using custom hosts files to eliminate the need for the domain extensions, your rule will likely not function, as it won't match the HTTP:host since the host will actually be something to the effect of "www.test.com" or "www.test1.co.uk", depending on the domain extension.

    Try replacing “equals” with “contains” in your if statement, and see if you get better results.

    So, the modified rule would look something like this : 

     
 when HTTP_REQUEST { 
   if { [matchclass [HTTP::host] contains $:: test-DE-Domain] } { 
     pool Test-Pool 
     log "[HTTP::uri]" 
   } else { 
     log "Failed" 
   } 
 }

    I'd be happy to take another look with some more info if this doesn't answer your questions.

    -CW
  • Stephan_Manthey's avatar
    Stephan_Manthey
    Historic F5 Account
    May 18, 2005
    hi,

    i tried this one: 

     
 class test_de_domain  { 
    "www.test1" 
    "www.test2" 
 } 
  
 when HTTP_REQUEST { 
    if {[matchclass [HTTP::host] starts_with $::test_de_domain]}{ 
       pool test_pool_http 
       log local0. "[HTTP::host] Forwarded" 
    } else { 
       pool drop_pool_http 
       log local0. "[HTTP::host] Failed" 
    } 
 }

    now "tail -f /var/log/ltm" returns as expected:

    May 18 20:15:51 tmm tmm[643]: Rule http_irule1 : www.test1 Forward

    May 18 20:15:55 tmm tmm[643]: Rule http_irule1 : www.test2 Forward

    May 18 20:15:58 tmm tmm[643]: Rule http_irule1 : www.test3 Failed

    regards

    stephan