For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

k20's avatar
k20
Icon for Nimbostratus rankNimbostratus
Dec 04, 2020

Need help to whitelist URI's

I need some help with the iRule. The goal is to allow users to access a limited number of URI's from the Internet but open to all for internal users.   I have created a datagroup that contains th...
application delivery
iRules
Enes_Afsin_Al's avatar
Enes_Afsin_Al
Icon for MVP rankMVP
Dec 04, 2020

If you want external network clients access to app.com/*

when HTTP_REQUEST {
	if { [class match [IP::client_addr] equals internal_subnets] || [HTTP::host] equals "app.com" } {
		pool app_80_pool
	}
	else {
		switch -glob [HTTP::uri] {
			"/foo/combined.js*" -
			"/foo/css/*" -
			"/foo/desktopreset" -
			"/foo/doc/*" -
			"/foo/error404.html" -
			"/foo/external/*" -
			"/foo/favicon.ico" -
			"/foo/home.jsf" -
			"/foo/images/*" -
			"/foo/include/*" -
			"/foo/javax.faces.resource/*" -
			"/foo/login.jsf" -
			"/foo/resources/*" -
			"/foo/scripts/*" -
			"/foo/ui/*" -
			"/foo/user/*" { pool app_80_pool }
			default { HTTP::redirect "http://app.com/sorry.html" }
		}
	}
}

  • k20's avatar
    k20
    Icon for Nimbostratus rankNimbostratus
    Dec 04, 2020

    OK now external users can get to http://app.com which is great. However, when I type some random URI's other then the ones listed in the iRule such as:

     

    http://app.com/<some_random_string>

     

    it doesn't redirect to the sorry.html page. I want it to redirect to the sorry.html page if nothing else matches all of the conditions above (i.e. the internal subnets, the homepage and all URI's in that whitelist).

     

     

    • Enes_Afsin_Al's avatar
      Enes_Afsin_Al
      Icon for MVP rankMVP
      Dec 04, 2020

      In below rule, you may need more uri for switch list. for example "index.php".

      You should add them in switch func.

      when HTTP_REQUEST {
	if { [class match [IP::client_addr] equals internal_subnets] } {
		pool app_80_pool
	}
	else {
		switch -glob [HTTP::uri] {
			"/" -
			"/sorry.html" -
			"/foo/combined.js*" -
			"/foo/css/*" -
			"/foo/desktopreset" -
			"/foo/doc/*" -
			"/foo/error404.html" -
			"/foo/external/*" -
			"/foo/favicon.ico" -
			"/foo/home.jsf" -
			"/foo/images/*" -
			"/foo/include/*" -
			"/foo/javax.faces.resource/*" -
			"/foo/login.jsf" -
			"/foo/resources/*" -
			"/foo/scripts/*" -
			"/foo/ui/*" -
			"/foo/user/*" { pool app_80_pool }
			default { HTTP::redirect "http://app.com/sorry.html" }
		}
	}
}
    • k20's avatar
      k20
      Icon for Nimbostratus rankNimbostratus
      Dec 04, 2020

      This new switch "/" - seems to break everything. The list of URI's above is inclusive. There shouldn't be any more to add.