For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

tiwang_122270's avatar
tiwang_122270
Icon for Nimbostratus rankNimbostratus
Mar 05, 2014

need help to simple redirect and whitelist of uri

hi out there I have a few small problems whereto I need a bit help - first I need to ensure that when a client visits a given site he will be directed to only one uri - eg:

 

external is we launching https://front-site.dk which internally connects to http://web01.internal.local/webconnect

 

second I need to ensure that only a given set of uri's can be accessed - eg:

 

https://front-site.dk/webservice1.aspx https://front-site.dk/webservice2.aspx but not f.ex webservice3.aspx

 

I have tried to look at a solution offered to one here which where running on a ltm 9.x - we have 11.3 - but I have some problems with getting the syntax correct for the datagroups - can you try to show me a simple sample? I have been looking at the fields offred in the http-profile for uri's - can this be used for this? And if so - how?

 

best regards /ti

 

application delivery
availability
BIG-IP Access Policy Manager (APM)
deployment
devops
iRules
LTM
security

3 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Mar 05, 2014

    Try this:

    (string-based) Date group:

    ltm data-group internal my_allowed_uris {
    records {
        /webservice1.aspx { }
        /webservice2.aspx { }
    }
}

    iRule:

    when HTTP_REQUEST {
    if { ( [HTTP::uri] equals "/" ) or ( [class match [string tolower [HTTP::uri]] starts_with my_allowed_uris] ) } {
        if { [HTTP::uri] equals "/" } {
            HTTP::uri "/webconnect"
        }
        return
    } else {
        reject
    }

}
  • tiwang's avatar
    tiwang
    Icon for Nimbostratus rankNimbostratus
    Mar 06, 2014

    hi Again

     

    thanks kevin - looks as if it Works fine - could I achive the same result through defining a custom httpclass for this vs and here define the uri's in? or do I miss the flexibility in the datagroup tables then?

     

    best regards /ti

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Mar 06, 2014

    could I achive the same result through defining a custom httpclass

     

    Yes you could, but I don't think it'd be any less complex.

     

    1st httpclass: "root"

     

    • URI Paths: Match Only
    • URI Pattern: /
    • Entity Type: Pattern String
    • Send to: None
    • Rewrite URI: /webconnect

    2nd httpclass: "webservice"

     

    • URI Paths: Match Only
    • URI Pattern: /webservice1.aspx
    • URI Pattern: /webservice2.aspx
    • Entity Type: Pattern String
    • Send to: None
    • Rewrite URI: Empty

    3rd httpclass: "all-others"

     

    • URI Paths: Match All
    • Send to: Redirect to
    • Redirect to: Location: [some arbitrary URI]

    These HTTP classes would need to be in this order applied to the VIP, and you can't drop a request like you can in the iRule, so you'd most likely have to redirect the user to something.