Forum Discussion

JamesB12's avatar
JamesB12
Icon for Altocumulus rankAltocumulus
Nov 25, 2022

Need iRule to block the traffic for specific URL

Hello Can somebody help on this please?   I have LTM appliance & Virtual server 'https://www100.test.com' hosted. The requirement I have is to block all the traffic destinated to one of the appli...
f5
irule
LTM
security
URL Blocking
Kai_Wilke's avatar
Kai_Wilke
Icon for MVP rankMVP
Nov 25, 2022

Hi James,

The provided example in K74012450 allows you to block certain URIs for external IPs. Its probable not the right (to complex) solution if you want to block access to a given URI for all clients.

Depending on how the "block" action should be you may use one of the iRule snippets below:

Intercept the Request and send HTTP 403 "Access Denied" response to the User-Agent:

 

 

Intercept the Request and send HTTP 403 "Access Denied" response to the User-Agent:

when HTTP_REQUEST {
	if { [string tolower "[HTTP::host][HTTP::path]"] starts_with "www100.test.com/ce" } then {
		HTTP::respond 403 content "<html><body><h1>Access Denied</h1></body><html>" "Content-Type" "text/html"
	}
}

 

 

Intercept the Request and redirect the User-Agent to a custom error page or landing URL:

 

 

when HTTP_REQUEST {
	if { [string tolower "[HTTP::host][HTTP::path]"] starts_with "www100.test.com/ce" } then {
		HTTP::respond 302 "Location" "/error_page.html"
	}
}

 

 

If the block list gets more complex (e.g. more entries) you may need a different technique to filter URLs. Also keep in mind that the block list in my examples are filtering request to "www100.test.com/ce*". If your web application is also accesible via lets say "https://212.212.212.212/ce" then the filtering wont work. You may need to skip checking of the HOST-Name to make the black-listing more robust...

Cheers, Kai

  • JamesB12's avatar
    JamesB12
    Icon for Altocumulus rankAltocumulus
    Nov 25, 2022

    Thanks for that , Should be OK with sending 

    HTTP::respond 403

    If i need to filter specific Source IPs say from Whitelist1 Data group allow it, block rest of it for the same URL  "www100.test.com/ce". How do i match the condition with the below iRule.

     

    when HTTP_REQUEST {
    if { [string tolower "[HTTP::host][HTTP::path]"] starts_with "www100.test.com/ce" } then {
    HTTP::respond 403 content "<html><body><h1>Access Denied</h1></body><html>" "Content-Type" "text/html"
    }

     

    Thanks

    • ScottE's avatar
      ScottE
      Icon for MVP rankMVP
      Nov 25, 2022

      JamesB12 

      Sounds like the piece you are looking for is a class match for the whitelist.

      when HTTP_REQUEST {
      if { [string tolower "[HTTP::host][HTTP::path]"] starts_with "www100.test.com/ce" } then {

          if { [class match [IP::client_addr] equals Whitelist1] } {
              log local0.info "TESTCE: Acceptable usage from [IP::remote_addr]"

          } else {
              HTTP::respond 403 content "<html><body><h1>Access Denied</h1></body><html>" "Content-Type" "text/html"

             return
         }

      }

      You can also have a pool selection with the log statement if the traffic goes to a specific pool.  You can also just negate the "if" condition if you only want to action if the IP is not in the whitelist.

      Scott