Forum Discussion

cgwin12's avatar
cgwin12
Icon for Altostratus rankAltostratus
Apr 25, 2024

Need help on i-rule to specific uri path

Hello All,   I'm working on an i-rule that I need to do the following; given a set of specific source ip addresses, only allow access to specific uris of /ws/rest/external*.    I set the specific...
application delivery
event
security
cgwin12's avatar
cgwin12
Icon for Altostratus rankAltostratus
May 23, 2024

Sanjay and Aaron, thanks for your input.v I'm getting a little closer. On the initial HTTP GET request this i-rule is working. However, when the testers attempt a POST, they error out with the insecure message. 

I have pasted the new i-rule below. I also added logging to find out why the connection is getting reset. 

The output of the log is also below the i-rule. It is the result of running a tail. It is run, greping the i-rule. 

tail -f /var/log/ltm | grep /Common/Boomi_external_redirect

Thanks for your input so far, we're close. 

 

when CLIENT_ACCEPTED {
  if { [class match [IP::client_addr] equals Boomi_external] } {
     pool esd-bmapi-dc1-as01-f5.lanl.gov_8077_pool
 }
}

when HTTP_REQUEST {
        switch -glob [string tolower [HTTP::uri -normalized]] {
            "/ws/rest/external*" {
            if { [class match [IP::client_addr] equals Boomi_external] } {
            pool esd-bmapi-dc1-as01-f5.lanl.gov_8077_pool
            } else {
             reject
              } log local0. "HTTP::reject_reason"
            } default {
          log local0. "HTTP Headers = [HTTP::host], [HTTP::uri]"
            
}
         }
      }

 

OUTPUT OF THE ERROR:

 

May 23 09:22:41 bigip1.lanl.gov err tmm1[22445]: 01220001:3: TCL error: /Common/Boomi_external_redirect <HTTP_REQUEST> - wrong # args: extra words after "else" clause in "if" command     while compiling "if { [class match [IP::client_addr] equals Boomi_external] } {               pool esd-bmapi-dc1-as01-f5.lanl.gov_8077_pool                    } else {              reject    ..."     ("/ws/rest/external/*" arm line 2)     invoked from within "switch -glob [string tolower [HTTP::uri -normalized]] {                 "/ws/rest/external/*" {             if { [class match [IP::client_addr] equals Boomi_..."

 

 

 

  • spalande's avatar
    spalande
    Icon for Nacreous rankNacreous
    May 29, 2024

    Please don't complicate iRule by adding client_accepted event and syntaxes like HTTP::reject_reason or HTTP::has_responded. Please use the iRule posted earlier.  Please take default action as appropriate in your case. 

     

    when HTTP_REQUEST {
        switch -glob [string tolower [HTTP::uri -normalized]] {
            "/ws/rest/external*" 
	   {
            if { [class match [IP::client_addr] equals Boomi_external] } {
            pool esd-bmapi-dc1-as01-f5.lanl.gov_8077_pool
            } else {
			log local0. "rejected access to /ws/rest/external for [IP::client_addr]"
             drop
              } 
            } default {
	     return
           }
         }
      }

     

    For insecure errors, please check the SSL certificate is correctly added to your clientssl profile, it's trusted by the client and has correct intermediate cert associated with it.